OSIsoft has upgrade software available to mitigate a deserialization of untrusted data, improper input validation, and incorrect default permissions vulnerabilities in the PI Data Archive, according to a report with ICS-CERT.
A data storage solution, PI Data Archive versions 2016 R2 and prior suffer from the remotely exploitable vulnerabilities, which OSIsoft self reported.
Successful exploitation of these vulnerabilities could cause loss of network access to the device or allow escalated privileges that may result in gaining full control of the PI Data Archive server.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
In one vulnerability, unauthenticated users may modify deserialized data to send custom requests that crash the server.
CVE-2018-7529 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In addition, an insecure default configuration may allow escalation of privileges that gives the actor full control over the system.
CVE-2018-7533 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.
Also, unauthenticated users may use unvalidated custom requests to crash the server.
CVE-2018-7531 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.9.
The products see use in multiple sectors and on a global basis.
OSIsoft recommends customers upgrade to PI Data Archive 2017 R2. Obtain the update from OSIsoft.
Click here to view the OSIsoft advisory.