OSIsoft LLC has an upgrade available to mitigate an integer overflow or wraparound vulnerability in its PI SQL Client, according to a report with CISA.
Successful exploitation of this remotely exploitable vulnerability could allow remote code execution or cause a denial of service, resulting in disclosure, deletion, or modification of information.
A component interface that enables data access via SQL queries to the PI System, PI SQL Client 2018 (PI SQL Client OLEDB 2018) suffers from the issue, which OSIsoft self-reported.
An attacker could exploit this vulnerability in a third-party component to remotely execute code on the client computer with the same permissions as the PI SQL Client user.
Communication with a malicious PI SQL Data Access Server (RTQP Engine) is needed to expose a PI SQL client to this vulnerability.
CVE-2017-9765 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.
The product sees action in the commercial facilities, critical manufacturing, energy, government facilities, and healthcare and public health sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. High skill level is needed to exploit.
OSIsoft recommends users upgrade to PI SQL Client 2018 R2 or later to resolve this issue. To download PI SQL Client 2018 R2, please access the OSIsoft customer portal (login required).
OSIsoft also provides the following measures to be used to avoid exploitation:
Configure the PI SQL Client OLEDB 2018 Data Link Advanced Properties to use NetTcp (Port 5465) and delete Https/Soap (Port 5464) from the network protocol order.
The following measures can be used to lower the likelihood of exploitation:
• Restrict PI SQL Client outbound network connections to trusted servers
• Monitor network infrastructure for spoofing attacks on PI SQL Data Access Servers
• Monitor PI SQL Data Access Servers for unauthorized access
The following measures can be used to lower the potential impact of exploitation:
• Execute PI SQL Client using a least privilege account
• Use application whitelisting on the PI SQL Client to block unauthorized code execution
For more information on this vulnerability, refer to OSIsoft’s security bulletin (login required).
OSIsoft releases security update to PI SQL Client 2018