A stored cross-site scripting (XSS) vulnerability in OSIsoft PI System, a product often present in critical infrastructure facilities, can be exploited for phishing, privilege escalation and other purposes.
OSIsoft PI System is a data management platform that delivers plant monitoring and analysis capabilities. According to the vendor’s website, PI System has been deployed at over 19,000 sites around the world across various industries, including power, oil and gas, manufacturing, and mining.
Researchers at industrial cybersecurity company OTORIO discovered that the PI Web API 2019 component of PI System is affected by a stored XSS vulnerability that allows an attacker with limited privileges on the targeted system to conduct various types of activities.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory for this flaw, which is tracked as CVE-2020-12021 and which impacts version 1.12.0.6346 and prior. OSIsoft has released a patch for the security hole and it has advised customers to take steps to minimize the risk of attacks.
Dor Yardeni, incident response team leader at OTORIO, told SecurityWeek that in order to exploit this vulnerability an external attacker somehow needs to gain access to PI Server, the data storage and distribution engine that powers PI System. Once they have access to PI Server, the attacker can exploit the stored XSS vulnerability to inject arbitrary JavaScript code into vulnerable fields in PI Server. Alternatively, an attacker could try to convince an insider to inject the code.
Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
Once the malicious code has been injected, the attacker needs to wait for a user with elevated privileges to use the vulnerable PI Web API and pass their cursor over the infected fields, which results in the code getting executed in the victim’s browser. The attacker can inject code that, when executed, displays a phishing page designed to steal the victim’s credentials.
According to Yardeni, the hacker can then use these credentials for a wide range of activities, including to tamper with data that comes from the plant and make engineers or operators believe that everything is operating normally when in fact it’s not (e.g. a boiler’s real temperature could be 100°C and the application will only show 50°C). The attacker can also delete historical plant data, or use the compromised credentials to hack other plant resources that are accessible to the targeted user.
The vulnerability can also be exploited to inject code designed for page keylogging, stealing cookies, redirecting users to other websites, changing data on the infected page, and stealing browsing information (e.g. internal IP, browser version, etc.).
“If the attacker has high credentials he or she doesn’t need to exploit the vulnerability. They can get access to the production floor with the high credentials alone,” Yardeni explained. “But if the attacker obtained only weak credentials, with ‘write’ permissions, he/she would be able to exploit the vulnerability to obtain higher credentials and then have access to the entire production environment.”
OTORIO has released a video showing how an attacker could exploit this vulnerability for phishing:
Related: Hackers Can Target Rockwell Industrial Software With Malicious EDS Files
Related: OSIsoft Warns Employees, Contractors of Data Breach