OSIsoft Fixes Permissions Hole

Wednesday, May 13, 2015 @ 02:05 PM gHale

OSIsoft identified, reported and fixed a default permissions vulnerability in its PI AF product, according to a report on ICS-CERT.

Under certain conditions, SQL statements can end up executed that result in data tampering, information disclosure, repudiation, elevation of privilege, and denial of service.

Rockwell Patches RSLinx Classic Bug
Healthcare Control System Holes Filled
OPTO 22 Clears Two Vulnerabilities
Moxa Fixes Buffer Overflow Hole

OSIsoft reports the remotely exploitable vulnerability affects the following products:
• PI AF 2.6 new installs
• PI AF 2.7 upgrade
• PI SQL for AF 2.1

San Leandro, CA-based OSIsoft has global operations. The affected product, PI AF, allows definition of organizational assets and/or equipment.

PI AF uses Microsoft SQL Server database. According to OSIsoft, PI AF sees action in several critical infrastructure sectors. OSIsoft estimates these products see use worldwide.

Some product installations insert the “Everyone” account in the “PI SQL (AF) Trusted Users” group on the PI AF Server. Users in the “PI SQL (AF) Trusted Users” group can bypass most of the security checks that would normally apply to various types of SQL statements, and can execute commands on the PI AF SQL Database without authorization.

CVE-2015-1013 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.5.

No known public exploits specifically target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.

Depending on the version of PI WebParts installed, OSIsoft recommends the following mitigation actions to remove this vulnerability; If a system has PI WebParts installed, the recommended action depends on the version:
PI WebParts 2013 or later
• Remove the group “PI SQL (AF) Trusted Users” (if it exists) from the AF server
• No further action is required

PI WebParts 2010 (or 2010 R2) – pick one of the two following options:
• Upgrade to PI WebParts 2013 or later and follow the steps above, or
• Follow the mitigation steps below:
Remove the “Everyone” user from the “PI SQL (AF) Trusted Users” group on the AF server.
If the SharePoint application pool hosting PI WebParts runs as a domain service account, add that service account to the Windows group.
If the SharePoint application pool hosting PI WebParts runs as the built in “Network Services” identity, add the PI WebParts web server’s machine account to the Windows group. After these configuration changes end up made, the user must perform an IISRESET on the PI WebParts web server. If the PI WebParts web server and the AF Server are on the same machine, the built-in “Network Services” identity must end up added, and the machine must then restart.

If there is no PI WebParts installation:
• Remove the group “PI SQL (AF) Trusted Users” (if it exists) from the AF server.

For more information regarding this vulnerability and the recommended mitigation plan, see OSIsoft’s security bulletin titled “AL00280 – Security Bulletin Vulnerability in PI SQL (AF) Trusted Users group could allow bypassing of security.”

Users may also visit the OSIsoft technical support web site.

Leave a Reply

You must be logged in to post a comment.