OSIsoft Resolves Security Bypass Vulnerability in PI AF Product
OSIsoft customers are advised to take steps to mitigate an incorrect default permissions vulnerability affecting the PI Asset Framework (PI AF) product.
OSIsoft is a San Leandro, CA-based company that provides operational intelligence solutions. The company’s flagship product, PI System, is designed to enable organizations to capture sensor-based data and leverage it to improve efficiency, quality, sustainability, and safety.
PI AF is a tool that acts as a repository for an organization’s assets and equipment. The product, which uses Microsoft SQL Server databases, is deployed in various critical infrastructure sectors across the world.
According to advisories published by ICS-CERT and OSIsoft, PI AF is plagued by a vulnerability that allows a remote attacker to execute arbitrary SQL statements on the affected system. This could lead to information disclosure, data tampering, privilege elevation, and denial-of-service (DoS), OSIsoft said.
“Some product installations insert the ‘Everyone’ account in the ‘PI SQL (AF) Trusted Users’ group on the PI AF Server. Users in the ‘PI SQL (AF) Trusted Users’ group can bypass most of the security checks that would normally be applied to various types of SQL statements, and can execute commands on the PI AF SQL Database without authorization,” the company wrote in its advisory.
The bug affects products that can add the problematic “Everyone” account, including PI AF Server 2.6 and PI SQL for AF 2.1. The vulnerability has been assigned the CVE identifier CVE-2015-1013 and a CVSS score of 6.5.
The steps PI AF customers must take in order to address the security bug depends on the PI WebParts version that is installed. If PI WebParts 2013 or later is installed, users must simply remove the “PI SQL (AF) Trusted Users” group from the AF Server.
Users of WebParts 2010 (or 2010 R2) can update to the 2013 version or later, and then remove the “PI SQL (AF) Trusted Users” group. Alternatively, users of older versions can remove the “Everyone” user from the “PI SQL (AF) Trusted Users” group, and add a certain account to the Windows group depending on how the SharePoint application pool hosting PI WebParts is running. With older versions of PI WebParts, removing the “Everyone” group could cause errors, OSIsoft noted.
If the WebParts component is not present, users can simply remove the “PI SQL (AF) Trusted Users” group from the AF server.
While there is no evidence that the vulnerability has been exploited in the wild, ICS-CERT noted that even an attacker with low skill can exploit the flaw.