OSIsoft has an upgrade to mitigate a cross-site request forgery vulnerability in its PI ProcessBook and PI ActiveView, according to a report with ICS-CERT.
Successful exploitation of this remotely exploitable vulnerability, which OSIsoft self-reported, may allow an attacker to remotely access arbitrary code.
OSIsoft said the vulnerability affects the following PI products:
• PI ProcessBook 2015 R2 (3.6.0) and earlier
• PI ActiveView 2015 R2 (3.6.0) and earlier
No known public exploits specifically target this vulnerability. However, an attacker with low skill level would be able to leverage the vulnerability.
The affected versions contain a third-party component which contains a vulnerability. The issue is rated “High” (CVSS: 7.0-10) by OSIsoft.
The products see action in multiple sectors on a global basis.
OSIsoft recommends users upgrade installations to PI ProcessBook 2015 R2 SP1 (3.6.1) and PI ActiveView 2015 R2 SP1 (3.6.1). The upgrade removes the vulnerable components and installs Visual Basic for Applications (VBA) 7.1, which is backwards compatible, to maintain scripting capabilities. The upgrade does not completely remove all VBA 6.5 components in case other applications utilize them. If no Microsoft Office or third-party programs require VBA 6.5, remove it after the upgrade.
For more information about this vulnerability, how to obtain the new version, or how to install the new version, see OSIsoft’s alert, AL00321.