Chemical Safety Incidents
OSIsoft Mitigates PI Web API Hole
Thursday, October 13, 2016 @ 05:10 PM gHale
OSIsoft created a new version of its PI Web API after it self-identified a permissions vulnerability, according to a report with ICS-CERT.
PI Web API 2015 R2 (Version 1.5.1) suffers from the remotely exploitable vulnerability.
Successful exploit of this vulnerability would allow access to the PI System via the service account user. Unauthorized viewing or alteration of PI System data is possible if the service account user had been configured with elevated permissions.
OSIsoft is a U.S.-based company that maintains headquarters in San Leandro, California, with global operations.
The affected product, PI Web API, is part of OSIsoft’s PI Developer Technologies family of products and can access PI system data. The PI Web API sees action across several critical infrastructure sectors. The product sees use on a global basis.
In the vulnerability, there is a weakness in this product that may allow an attacker to access the PI system without the proper permissions.
CVE-2016-8353 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.4.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
OSIsoft recommended upgrading to PI Web API version 2016 (220.127.116.11) or greater to address the vulnerability.
OSIsoft recommended configuring least privilege mappings in the PI System for the PI Web API service account user. If the PI Web API service account user is a domain account, the implicit default mappings are to the Everyone and PIWorld PI identities, which typically serve read-only access roles.
OSIsoft also recommends using a host-based firewall to limit access to PI Web API port 443 to only trusted workstations and software.
For more information on this vulnerability, refer to OSIsoft’s Security Bulletin AL00306 on this topic.