OSIsoft released an upgrade to its PI Server 2017 to mitigate improper authentication vulnerabilities, according to a report with ICS-CERT.
PI Data Archive versions prior to 2017 suffer from the remotely exploitable vulnerabilities, which OSIsoft discovered and self-reported.
Successful exploitation of these vulnerabilities could allow the attacker to spoof a PI Server or cause undefined behavior within the PI Network Manager.
No known public exploits specifically target these vulnerabilities. High skill level is needed to exploit the vulnerability.
PI Data Archive has protocol flaws with the potential to expose change records in the clear and allow a malicious party to spoof a server within a collective.
CVE-2017-7930 is the case number assigned to this vulnerability, which OSIsoft calculated at 8.9.
PI Network Manager using older protocol versions contains a flaw that could allow a malicious user to authenticate with a server and then cause PI Network Manager to behave in an undefined manner.
CVE-2017-7934 is the case number assigned to this vulnerability, which OSIsoft calculated at 5.9.
The product sees action in multiple critical infrastructure sectors and on a global basis.
OSIsoft recommends users upgrade to PI Data Archive 2017. There is more detail in the “Security Information and Guidance” section of the release notes on the OSIsoft web page (user account required).
OSIsoft recommends users run the PI Data Archive on a secured internal control or corporate network. For a starting point on PI System security best practices, see Knowledge Base Article KB00833 – Seven best practices for securing your PI Server on the OSIsoft web page.
Please see Security Bulletin AL00315 on the OSIsoft web page for more information about this issue.