Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

OSIsoft Patches Flaws in PI Server, Web API Products

California-based operational intelligence firm OSIsoft has released updates for its PI Web API and PI Server products to address several vulnerabilities, including ones rated high severity.

ICS-CERT has published two advisories this week to inform organizations about three remotely exploitable flaws affecting the OSIsoft products.

California-based operational intelligence firm OSIsoft has released updates for its PI Web API and PI Server products to address several vulnerabilities, including ones rated high severity.

ICS-CERT has published two advisories this week to inform organizations about three remotely exploitable flaws affecting the OSIsoft products.

One advisory describes two improper authentication vulnerabilities affecting PI Server, a real-time data storage and distribution engine that powers the company’s PI System data management product.

The most serious of the flaws, rated high severity and tracked as CVE-2017-7930, is a protocol weakness in the PI Data Archive component that can be exploited to access clear text data and spoof a server.

The second flaw, rated medium severity and identified as CVE-2017-7934, affects the PI Network Manager and it allows a malicious user to authenticate on the server and cause the vulnerable component to behave unexpectedly.

These weaknesses affect systems with PI Data Archive versions prior to 2017, and they were patched roughly one month ago with the release of security updates.

Another advisory published by ICS-CERT describes a high severity cross-site request forgery (CSRF) vulnerability affecting PI Web API, a suite of REST services and APIs designed to provide web and mobile programmatic access to PI System data.

“The vulnerability allowed for Cross-Site Request Forgery (CSRF) attacks to occur when an otherwise-unauthorized cross-site request was sent from a browser the server had previously authenticated,” ICS-CERT and OSIsoft wrote in their advisories.

Advertisement. Scroll to continue reading.

The flaw (CVE-2017-7926) impacts all websites using versions of PI Web API prior to 2017 (1.9.0) as the data access layer. A patch was released in May.

All flaws were discovered by OSIsoft itself and there is no evidence of exploits in the wild. The vendor has also provided a series of recommendations for preventing potential attacks exploiting these flaws.

OSIsoft products are used around the world in several industries, including oil and gas, power and utilities, chemicals and petrochemicals, pulp and paper, pharmaceutical, critical facilities, IT, and federal sectors.

Related: Learn More at SecurityWeek’s ICS Cyber Security Conference

Related: Flaw Found in OSIsoft Product Deployed in Critical Infrastructure Sectors

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.