Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Vulnerability in OSIsoft PI System Can Facilitate Attacks on Critical Infrastructure

A stored cross-site scripting (XSS) vulnerability in OSIsoft PI System, a product often present in critical infrastructure facilities, can be exploited for phishing, privilege escalation and other purposes.

A stored cross-site scripting (XSS) vulnerability in OSIsoft PI System, a product often present in critical infrastructure facilities, can be exploited for phishing, privilege escalation and other purposes.

OSIsoft PI System is a data management platform that delivers plant monitoring and analysis capabilities. According to the vendor’s website, PI System has been deployed at over 19,000 sites around the world across various industries, including power, oil and gas, manufacturing, and mining.

Researchers at industrial cybersecurity company OTORIO discovered that the PI Web API 2019 component of PI System is affected by a stored XSS vulnerability that allows an attacker with limited privileges on the targeted system to conduct various types of activities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory for this flaw, which is tracked as CVE-2020-12021 and which impacts version 1.12.0.6346 and prior. OSIsoft has released a patch for the security hole and it has advised customers to take steps to minimize the risk of attacks.

Dor Yardeni, incident response team leader at OTORIO, told SecurityWeek that in order to exploit this vulnerability an external attacker somehow needs to gain access to PI Server, the data storage and distribution engine that powers PI System. Once they have access to PI Server, the attacker can exploit the stored XSS vulnerability to inject arbitrary JavaScript code into vulnerable fields in PI Server. Alternatively, an attacker could try to convince an insider to inject the code.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Once the malicious code has been injected, the attacker needs to wait for a user with elevated privileges to use the vulnerable PI Web API and pass their cursor over the infected fields, which results in the code getting executed in the victim’s browser. The attacker can inject code that, when executed, displays a phishing page designed to steal the victim’s credentials.

According to Yardeni, the hacker can then use these credentials for a wide range of activities, including to tamper with data that comes from the plant and make engineers or operators believe that everything is operating normally when in fact it’s not (e.g. a boiler’s real temperature could be 100°C and the application will only show 50°C). The attacker can also delete historical plant data, or use the compromised credentials to hack other plant resources that are accessible to the targeted user.

Advertisement. Scroll to continue reading.

The vulnerability can also be exploited to inject code designed for page keylogging, stealing cookies, redirecting users to other websites, changing data on the infected page, and stealing browsing information (e.g. internal IP, browser version, etc.).

“If the attacker has high credentials he or she doesn’t need to exploit the vulnerability. They can get access to the production floor with the high credentials alone,” Yardeni explained. “But if the attacker obtained only weak credentials, with ‘write’ permissions, he/she would be able to exploit the vulnerability to obtain higher credentials and then have access to the entire production environment.”

OTORIO has released a video showing how an attacker could exploit this vulnerability for phishing:

Related: Hackers Can Target Rockwell Industrial Software With Malicious EDS Files

Related: OSIsoft Warns Employees, Contractors of Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.