OSIsoft Mitigates Vulnerabilities

Wednesday, August 14, 2013 @ 02:08 PM gHale


OSIsoft produced a software update that mitigates multiple vulnerabilities in the PI Interface for IEEE C37.118, which it reported to ICS-CERT.

OSIsoft has tested the software update to validate it resolves the remotely exploitable vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to shut down the PI Interface for IEEE C37.118 instance and cause a data gap for PI points belonging to it.

RELATED STORIES
Tridium Niagara Security Update
SEL Fixes Improper Input Validation
Det-Tronics Gas Leak Detector Certified
Moore Gains Safety Certification

All versions of the PI Interface for IEEE C37.118 prior to Version 1.0.6.158 suffer from the issue.

OSIsoft is a U.S.-based company that maintains its headquarters in San Leandro, CA, with operations globally.

The affected product, PI Interface for IEEE C37.118, collects information from synchro-phasor measurement units (PMU devices). PI Interface for IEEE C37.118 sees use with electric utilities and associated research entities, according to OSIsoft. OSIsoft estimates these products primarily see use in the United States and Europe with a small percentage in Asia.

The PI Interface for IEEE C37.118 could read from an invalid memory address when processing C37.118 configuration packets. This could allow the attacker to shut down the PI Interface for IEEE C37.118 instance and cause a data gap for PI points belonging to it.

CVE-2013-2801 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

The PI Interface for IEEE C37.118 could corrupt or exhaust memory when processing C37.118 configuration packets. This could allow the attacker to shut down the PI Interface for IEEE C37.118 instance and cause a data gap for PI points belonging to it.

CVE-2013-2800 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

No known public exploits specifically target these vulnerabilities, but an attacker with a low skill would be able to exploit these vulnerabilities.

OSIsoft encourages customers using the affected product to upgrade to Version 1.0.6.158 or later. The software update is on the OSIsoft technical support Web site.



Leave a Reply

You must be logged in to post a comment.