OSIsoft Fixes Input Validation Issue
Wednesday, June 15, 2016 @ 11:06 AM gHale
OSIsoft created a new version to mitigate an input validation vulnerability in its PI SQL Data Access Server, according to a report on ICS-CERT.
The new version is PI SQL Data Access Server (OLE DB) 2016 (1.5).
This vulnerability, which OSIsoft discovered itself, is remotely exploitable.
Affected versions of PI SQL Data Access Server prior to the 2016 (1.5) release include:
• PI JDBC Driver 2015 (188.8.131.524) and earlier
• PI ODBC Driver 2015 (3.5.403) and earlier
An attacker who successfully exploits this vulnerability could cause the PI SQL Data Access Server to stop responding in a way that may cause an incomplete update resulting in partial data loss.
OSIsoft maintains headquarters in San Leandro, CA, with global operations.
The PI SQL Data Access Server is a component that supports the PI SQL family of drivers such as PI ODBC and PI JDBC. While these drivers implement a certain industry standard or API and build the interface to third-party clients or applications, PI SQL Data Access Server is responsible for executing the queries.
PI SQL Data Access Server supports connections and queries to the PI Data Archive and PI AF Server. PI SQL Data Access Server is a layered application not installed with every PI System implementation. PI Asset Framework sees action across several critical infrastructure sectors. These products see use on a global basis.
A denial-of-service impact occurs when the PI SQL Data Access Server improperly handles input while processing a message from an authenticated connection.
CVE-2016-4530 is the case number assigned to this vulnerability, which OSIsoft rated using the Common Vulnerability Scoring System (CVSS) as medium.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
OSIsoft recommends upgrading to PI SQL Data Access Server (OLE DB) 2016 (1.5) to address this issue.
OSIsoft recommends users use a host-based firewall to limit access to Ports 5461 and 5462 only to trusted workstations and PI SQL client products such as:
• PI JDBC Driver
• PI ODBC Driver
They also recommend limited access to PI SQL Data Access Server to users that need it through user rights assignment security policy.
For more information on this vulnerability, please refer to OSIsoft’s Security Bulletin.