OSIsoft has an update plan to mitigate permissions, privileges, and access controls and cross-site scripting vulnerabilities in its PI Web API, according to a report with ICS-CERT.
The remotely exploitable vulnerabilities affect PI Web API versions 2017 R2 and prior. Not all configurations of PI Web API are affected.
Successful exploitation of these vulnerabilities, which OSIsoft self-reported, could allow escalated privileges and may allow remote code execution.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
In one of the vulnerabilities, privileges may be escalated, giving attackers access to the PI System via the service account.
CVE-2018-7500 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.3.
In addition, cross-site scripting may occur when input is incorrectly neutralized.
CVE-2018-7508 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.7.
The product sees use in multiple sectors and on a global basis.
OSIsoft recommends users upgrade to PI Vision 2017 R2 Update 1 or PI AF Services 2017 R2 Update 1, which both address the PI Web API vulnerabilities. Obtain the updates from OSIsoft.
OSIsoft released the following alerts:
• Alert one
• Alert two