OSIsoft Clears PI Web API Issue

Tuesday, June 13, 2017 @ 03:06 PM gHale

OSIsoft released an upgrade to mitigate a cross-site request forgery in its PI Web API 2017, according to a report with ICS-CERT.

PI Web API versions prior to 2017 (1.9.0) suffer from the remotely exploitable vulnerability that was self-discovered and reported.

Trihedral Mitigates VTScada Holes
Rockwell Fixes PanelView Vulnerability
Digital Canal’s Wind Analysis Updated
Phoenix Broadband Mitigates BMS Hole

Successful exploitation of this vulnerability may allow an attacker to access the PI System with the privileges of a legitimate client user. PI System data alteration is possible if the client user has sufficient access to write data.

The product sees action in multiple critical infrastructure sectors and on a global basis.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level would be able to leverage the vulnerability.

The vulnerability allows cross-site request forgery (CSRF) attacks to occur when an otherwise-unauthorized cross-site request is sent from a browser the server has previously authenticated.

CVE-2017-7926 is the case number assigned to this vulnerability, which OSIsoft calculated a CVSS v3 base score of 7.1.

OSIsoft recommends users upgrade to the PI Web API version 2017 (1.9.0) and enable CSRF defense. To enable this option, set the configuration attribute ‘EnableCSRFDefense’ to ‘True’ in the PI Web API System Configuration element. This element is located at the path “..\OSIsoft\PI Web API\PIWebAPIMachineName\System Configuration” in PI AF Server Configuration database.

A new installation of PI Web API 2017 (1.9.0) enables CSRF protection by default.

Please see alert AL00316 on the OSIsoft web page for more information about this issue.

Leave a Reply

You must be logged in to post a comment.