There is an information exposure through server log files in OSIsoft’s PI Coresight, PI Web API, according to a report with ICS-CERT.
Anyone with access to the server file system can obtain the service account passwords for the affected services, according to the report. This is accomplished by examining the installation log file when a non-default service account and passwords are specified during installation or upgrade. This potentially leads to unauthorized shutdown of the affected PI services as well as potential reuse of domain credentials.
OSIsoft reports that the vulnerability affects the following versions:
• PI Coresight 2016 R2 and earlier versions
• PI Web API 2016 R2 when deployed using the PI AF Services 2016 R2 integrated install kit
While there is not a fix right now, OSIsoft recommends to follow the workaround detailed until a software update is available.
Click here for the security bulletin with a detailed workaround.