Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Vulnerability in OSIsoft PI System Can Facilitate Attacks on Critical Infrastructure

A stored cross-site scripting (XSS) vulnerability in OSIsoft PI System, a product often present in critical infrastructure facilities, can be exploited for phishing, privilege escalation and other purposes.

A stored cross-site scripting (XSS) vulnerability in OSIsoft PI System, a product often present in critical infrastructure facilities, can be exploited for phishing, privilege escalation and other purposes.

OSIsoft PI System is a data management platform that delivers plant monitoring and analysis capabilities. According to the vendor’s website, PI System has been deployed at over 19,000 sites around the world across various industries, including power, oil and gas, manufacturing, and mining.

Researchers at industrial cybersecurity company OTORIO discovered that the PI Web API 2019 component of PI System is affected by a stored XSS vulnerability that allows an attacker with limited privileges on the targeted system to conduct various types of activities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory for this flaw, which is tracked as CVE-2020-12021 and which impacts version 1.12.0.6346 and prior. OSIsoft has released a patch for the security hole and it has advised customers to take steps to minimize the risk of attacks.

Dor Yardeni, incident response team leader at OTORIO, told SecurityWeek that in order to exploit this vulnerability an external attacker somehow needs to gain access to PI Server, the data storage and distribution engine that powers PI System. Once they have access to PI Server, the attacker can exploit the stored XSS vulnerability to inject arbitrary JavaScript code into vulnerable fields in PI Server. Alternatively, an attacker could try to convince an insider to inject the code.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Once the malicious code has been injected, the attacker needs to wait for a user with elevated privileges to use the vulnerable PI Web API and pass their cursor over the infected fields, which results in the code getting executed in the victim’s browser. The attacker can inject code that, when executed, displays a phishing page designed to steal the victim’s credentials.

According to Yardeni, the hacker can then use these credentials for a wide range of activities, including to tamper with data that comes from the plant and make engineers or operators believe that everything is operating normally when in fact it’s not (e.g. a boiler’s real temperature could be 100°C and the application will only show 50°C). The attacker can also delete historical plant data, or use the compromised credentials to hack other plant resources that are accessible to the targeted user.

Advertisement. Scroll to continue reading.

The vulnerability can also be exploited to inject code designed for page keylogging, stealing cookies, redirecting users to other websites, changing data on the infected page, and stealing browsing information (e.g. internal IP, browser version, etc.).

“If the attacker has high credentials he or she doesn’t need to exploit the vulnerability. They can get access to the production floor with the high credentials alone,” Yardeni explained. “But if the attacker obtained only weak credentials, with ‘write’ permissions, he/she would be able to exploit the vulnerability to obtain higher credentials and then have access to the entire production environment.”

OTORIO has released a video showing how an attacker could exploit this vulnerability for phishing:

Related: Hackers Can Target Rockwell Industrial Software With Malicious EDS Files

Related: OSIsoft Warns Employees, Contractors of Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.