Your one-stop web resource providing safety and security information to manufacturers

OSIsoft has an upgrade to mitigate a cross-site request forgery vulnerability in its PI ProcessBook and PI ActiveView, according to a report with ICS-CERT.

Successful exploitation of this remotely exploitable vulnerability, which OSIsoft self-reported, may allow an attacker to remotely access arbitrary code.

Schweitzer Clears Hole in Gateways
Schneider Patches Ampla MES Holes
Schneider Patches Wonderware ArchestrA Logger
Siemens SIPROTEC 4, SIPROTEC Compact Issues

OSIsoft said the vulnerability affects the following PI products:
• PI ProcessBook 2015 R2 (3.6.0) and earlier
• PI ActiveView 2015 R2 (3.6.0) and earlier

No known public exploits specifically target this vulnerability. However, an attacker with low skill level would be able to leverage the vulnerability.

Schneider Bold

The affected versions contain a third-party component which contains a vulnerability. The issue is rated “High” (CVSS: 7.0-10) by OSIsoft.

The products see action in multiple sectors on a global basis.

OSIsoft recommends users upgrade installations to PI ProcessBook 2015 R2 SP1 (3.6.1) and PI ActiveView 2015 R2 SP1 (3.6.1). The upgrade removes the vulnerable components and installs Visual Basic for Applications (VBA) 7.1, which is backwards compatible, to maintain scripting capabilities. The upgrade does not completely remove all VBA 6.5 components in case other applications utilize them. If no Microsoft Office or third-party programs require VBA 6.5, remove it after the upgrade.

For more information about this vulnerability, how to obtain the new version, or how to install the new version, see OSIsoft’s alert, AL00321.

Pin It on Pinterest

Share This