OSIsoft Fixes Input Validation Hole

Wednesday, June 15, 2016 @ 11:06 AM gHale


OSIsoft created a new version of PI AF Server 2016 to address an input validation vulnerability, according to a report on ICS-CERT.

OSIsoft reports the vulnerability, which is remotely exploitable, affects PI AF Server prior to 2016, versions prior to 2.8.0.

RELATED STORIES
OSIsoft Fixes Input Validation Issue
Siemens Mitigates WinCC Vulnerability
Siemens Fixes SIMATIC S7-300 DoS Hole
KMC Controls Clears Router Holes

The issue exists in a component that ships with the PI AF Server. This component ends up used by other OSIsoft applications but is not normally used by user applications or users of the PI AF SDK or PI System Explorer. This component can safely end up disabled following defensive measures without impacting other PI AF Server functionality with the condition that none of the listed OSIsoft applications are also in use.

An attacker who successfully exploits this vulnerability could cause the PI AF Server to stop responding.

OSIsoft maintains headquarters in San Leandro, CA, with global operations.

The PI AF Server is a repository for asset-centric models, hierarchies, objects, and equipment. The PI System uses this core server technology to provide a framework for organizing and analyzing data. PI AF works across several critical infrastructure sectors. OSIsoft said these products see use on a global basis.

A denial-of-service impact occurs when the PI AF Server improperly handles input while processing a message from an authenticated connection.

CVE-2016-4518 is the case number assigned to this vulnerability, which has a OSIsoft rating using the Common Vulnerability Scoring System (CVSS) as medium.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.

OSIsoft recommends upgrading to PI AF Server 2016 to address this issue.

OSIsoft recommends using a host-based firewall to limit access to Port 5459 to only trusted workstations using PI SQL products such as PI OLEDB Enterprise. All versions of PI WebParts and PI Web Services will use PI OLEDB Enterprise for data access if it is configured as a provider for a relational data set. The following products access the PI AF Server 2016 over Port 5459 for search functionality:
• PI WebParts 2010 and earlier
• PI Coresight 2013 and earlier

OSIsoft also recommends that access to the PI AF Server should end up limited to only those users who need it.

For more information on this vulnerability, click on OSIsoft’s Security Bulletin AL00301.