OSIsoft Fixes PI Vision Issues

Tuesday, March 13, 2018 @ 04:03 PM gHale

OSIsoft has new software to mitigate protection mechanism failure and information exposure failures in its PI Vision, according to a report with ICS-CERT.

A data visualization framework, PI Vision versions 2017 and prior suffer from the remotely exploitable vulnerabilities, which OSIsoft self-reported.

OSIsoft Updates PI Web API Holes
Siemens Mitigates Missing Authentication Hole
Siemens Mitigates Vulnerabilities
New Firmware Clears Eaton ELCSoft Hole

Successful exploitation of these vulnerabilities could allow remote code execution and expose information.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerability.

In one vulnerability, X-XSS-Protection response header is not set to block, allowing attempts at reflected cross-site scripting.

CVE-2018-7504 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.

In addition, server response header and referrer-policy response header each provide unintended information disclosure.

CVE-2018-7496 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.3.

The products see use in multiple sectors and on a global basis.

OSIsoft recommends users upgrade to PI Vision 2017 R2 Update 1. Obtain the update from OSIsoft.

Click here for OSIsoft’s alert.

PI Vision 2017 R2 Update 1 also addresses PI Web API vulnerabilities.

For more information read over the following alerts:
Alert one
Alert two

Leave a Reply

You must be logged in to post a comment.