OSIsoft PI System
ICSA： ICS Advisory (ICSA-20-133-02)
1. EXECUTIVE SUMMARY
- CVSS v3 7.8
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: OSIsoft
- Equipment: PI System
- Vulnerabilities: Uncontrolled Search Path Element, Improper Verification of Cryptographic Signature, Incorrect Default Permissions, Uncaught Exception, Null Pointer Dereference, Improper Input Validation, Cross-site Scripting, Insertion of Sensitive Information into Log File
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to access unauthorized information, delete or modify local processes, and crash the affected device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of PI System are affected:
CVE-2020-10610, CVE-2020-10608, CVE-2020-10606:
- Applications using PI Asset Framework (AF) Client versions prior to and including PI AF Client 2018 SP3 Patch 1, Version 188.8.131.523
- Applications using PI Software Development Kit (SDK) versions prior to and including PI SDK 2018 SP1, Version 184.108.40.2062
- PI API for Windows Integrated Security versions prior to and including 220.127.116.11,
- PI API versions prior to and including 18.104.22.168
- PI Buffer Subsystem versions prior to and including 22.214.171.124
- PI Connector for BACnet, versions prior to and including 126.96.36.199
- PI Connector for CygNet, versions prior to and including 188.8.131.52
- PI Connector for DC Systems RTscada, versions prior to and including 184.108.40.206
- PI Connector for Ethernet/IP, versions prior to and including 220.127.116.11
- PI Connector for HART-IP, versions prior to and including 18.104.22.168
- PI Connector for Ping, versions prior to and including 22.214.171.124
- PI Connector for Wonderware Historian, versions prior to and including 126.96.36.199
- PI Connector Relay, versions prior to and including 188.8.131.52
- PI Data Archive versions prior to and including PI Data Archive 2018 SP3, Version 3.4.430.460
- PI Data Collection Manager, versions prior to and including 184.108.40.206
- PI Integrator for Business Analytics versions prior to and including 2018 R2 SP1, Version 220.127.116.11
- PI Interface Configuration Utility (ICU) versions prior to and including 18.104.22.168
- PI to OCS versions prior to and including 22.214.171.124
- CVE-2020-10604, CVE-2020-10602:
- PI Data Archive 2018 and 2018 SP2 only
- PI Data Archive 2018 SP2 and prior versions
- PI Vision 2019 and prior
- PI Manual Logger 2017 R2 Patch 1 and prior
- RtReports Version 4.1 and prior
CVE-2020-10600, CVE-2020-10614, CVE-2019-18244:
- PI Vision 2019 and prior versions
3.2 VULNERABILITY OVERVIEW
A local attacker can modify a search path and plant a binary to exploit the affected PI System software to take control of the local computer at Windows system privilege level, resulting in unauthorized information disclosure, deletion, or modification.
A local attacker can plant a binary and bypass a code integrity check for loading PI System libraries. This exploitation can target another local user of PI System software on the computer to escalate privilege and result in unauthorized information disclosure, deletion, or modification.
A local attacker can exploit incorrect permissions set by affected PI System software. This exploitation can result in unauthorized information disclosure, deletion, or modification if the local computer also processes PI System data from other users, such as from a shared workstation or terminal server deployment.
A remote, unauthenticated attacker could crash PI Network Manager service through specially crafted requests. This can result in blocking connections and queries to PI Data Archive.
An authenticated remote attacker could crash PI Network Manager due to a race condition. This can result in blocking connections and queries to PI Data Archive.
An authenticated remote attacker could crash PI Archive Subsystem when the subsystem is working under memory pressure. This can result in blocking queries to PI Data Archive.
An authenticated remote attacker could add or modify internal object properties, resulting in undefined behavior.
An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision mobile to a vulnerable webpage due to a known issue in a third-party component.
An authenticated remote attacker with write access to PI Vision databases could inject code into a display. Unauthorized information disclosure, deletion, or modification is possible if a victim views the infected display.
A local attacker could view sensitive information in log files when service accounts are customized during installation or upgrade of PI Vision. The update fixes a previously reported issue.
- CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United States
William Knowles, Senior Security Consultant at Applied Risk, working with OSIsoft, reported vulnerabilities to CISA.
OSIsoft reports the following workarounds and defensive measures:
CVE-2020-10610—Manage permissions on HKLM\Software\PISystem and HKLM\WOW6432Node\Software\PISystem registry keys to block a high impact exploit path. See OSIsoft customer portal knowledge article PI System Registry Security Recommendations for details on setting registry permissions.
CVE-2019-18244—Provision and use domain Group Managed Service Accounts or use the default NetworkService account to run PI Vision AppPools. There is no exposure to this vulnerability when using either of these account types. To limit exposure in case standard domain account is used to run PI Vision AppPools, remove the password entry from the setup log files immediately.
OSIsoft reports the following measures can be used to lower likelihood of exploitation:
CVE-2020-10610, CVE-2020-10608, CVE-2020-10606—Migrate standard users to PI Vision and browser-based access to PI System data.
CVE-2020-10608—Restrict network connections from PI client workstations to trusted AF servers (TCP Port 5457).
CVE-2020-10606—Disable unused PI Buffering services from PI client workstations (PI Buffer Subsystem, PI Buffer Server).
CVE-2019-10768, CVE-2020-10600, CVE-2020-10614—Limit write access to PI Vision displays to trusted users.
The following measures can be used to lower the potential impact of exploitation:
CVE-2020-10610 and CVE-2020-10608—Deploy application whitelisting solutions with enforcement for approved DLLs:
- Windows AppLocker
- Windows Defender Application Control
- CVE-2020-10610 and CVE-2020-10608—Monitor HKLM\Software\PISystem and HKLM\WOW6432Node\Software\PISystem registry keys as well as ProgramData\PISystem folder for unauthorized changes.
- See OSIsoft customer portal knowledge article Monitoring PISystem Registry.
For a list of PI System firewall port requirements, see knowledge base article KB01162 - Firewall Port Requirements.
CVE-2020-10604, CVE-2020-10602, CVE-2020-10600—Fully configure Windows authentication for the PI System and disable legacy authentication methods. For a starting point on PI System security best practices, see knowledge base article KB00833 - Seven best practices for securing your PI Server.
For more information and workaround details for these vulnerabilities, please refer to OSIsoft’s Security Bulletin (registration required): OSIsoft Updates PI System and Common Components.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.