OSIsoft recommends users update software to mitigate cross-site scripting and improper authorization vulnerabilities in its PI Integrator, according to a report with ICS-CERT.
Successful exploitation of these remotely exploitable vulnerabilities, which OSIsoft self-reported, could allow an unauthorized attacker to gain privileged access to the system. An attacker may also be able to store a malicious script in the application database.
The following versions of PI Integrator, a data management platform, suffer from the issues:
• PI Integrator for SAP HANA 2016
• PI Integrator for Business Analytics 2016 – Data Warehouse (All Editions)
• PI Integrator for Business Analytics 2016 – Business Intelligence (All Editions)
• PI Integrator for Business Analytics and SAP HANA SQL Utility 2016
• PI Integrator for Microsoft Azure 2016
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level would be able to leverage the vulnerabilities.
In one vulnerability, an attacker may be able to upload a malicious script that attempts to redirect users to a malicious web site.
CVE-2017-9655 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.8.
In addition, an attacker is able to gain privileged access to the system while unauthorized.
CVE-2017-9653 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
The product sees action in multiple sectors throughout the manufacturing automation sector. It also sees use on a global basis.
San Leandro, CA-based OSIsoft recommends that users update their software at the earliest opportunity. Users and administrators are encouraged to upgrade to PI Integrator for Business Analytics 2016 R2 or later, PI Integrator for Microsoft Azure 2016 R2 SP1 or later, or PI Integrator for SAP HANA 2017 or later for the corresponding edition.
Click here for view an OSIsoft alert.