OSIsoft Fixes PI Data Archive Holes

Monday, August 17, 2015 @ 01:08 PM gHale

OSIsoft created a new version of Data Archive (Version 3.4.395.64) to mitigate 56 vulnerabilities in its own PI System software, according to a report on ICS-CERT.

All versions of the PI Data Archive prior to Version 3.4.395.64 suffer from the remotely exploitable vulnerabilities.

Rockwell Working on Vulnerability Fixes
Moxa RTU Controller Vulnerabilities
Vulnerabilities with Prisma Web
Schneider Modicon Vulnerability

An attacker who exploits these vulnerabilities could create a denial-of-service condition or allow remote code execution on the Windows OS running this software.

The issues ended up rated by OSIsoft using the Common Vulnerability Scoring System (CVSS) as follows:
• 21 high (CVSS: 6.8-10)
• 27 medium (CVSS: 3.4-6.7)
• 8 low (CVSS: 0-3.3)

The high-level security issues addressed in PI Data Archive 2015 include:
• CWE-20: Improper Input Validation (6 issues),
• CWE-250: Execution with Unnecessary Privileges (3 issues),
• CWE-200: Information Exposure (1 issue),
• CWE-476: NULL Pointer Dereference / Denial of Service (13 issues), and
• CWE-384: Session Management (2 issues).

These security-related issues ended up discovered in PI Data Archive 2012 as part of OSIsoft’s SDL process.

Some of these vulnerabilities could end up exploited remotely. No known public exploits specifically target these vulnerabilities.

OSIsoft recommends that users upgrade to Data Archive 3.4.395.64 released June 25, 2015.

Users can click here to download the latest software version.

Users can click here to download release notes for the latest software version.

For more information regarding this vulnerability and the recommended mitigation plan, click on OSIsoft’s security bulletin entitled “Advisory: PI Server 2015 Multiple Security Updates.”

Users may also visit the OSIsoft technical support web site.

OSIsoft is a U.S.-based company that maintains its headquarters in San Leandro, CA, with operations globally.

Data Archive is the core server technology used in the PI System for real time data storage and distribution of instrument data, according to OSIsoft. The PI System uses this core server technology to manage and enhance stored instrument data for retrieval, analysis, and visualization. According to OSIsoft, PI Asset Framework sees action in several critical infrastructure sectors. OSIsoft estimates these products see use worldwide.