Alert
AL00289 - OSIsoft Releases Multiple Security Updates for the PI System
2015-08-11
Revised: 2015-09-09
 

Summary

OSIsoft has released PI Data Archive 2015, a new version component of its PI Server that resolves 56 security-related issues.

The resolved issues were rated using the Common Vulnerability Scoring System (CVSS), as follows:
  • 21 high (CVSS: 6.8-10),
  • 27 medium (CVSS: 3.4-6.7)
  • 8 low (CVSS: 0-3.3).
These Data Archive 2012 security-related issues were self-identified and resolved in the 2015 release as part of OSIsoft’s Security Development Lifecycle (SDL) process.

OSIsoft recommends upgrading to PI Server 2015 to address these issues.
 

Impact

Some of the high-level vulnerabilities could allow remote code execution on the Windows OS running the PI Data Archive if an attacker sends a specially crafted sequence of packets to a targeted system. An attacker who successfully exploited these vulnerabilities could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
 
Denial of service impact also exists when the PI Data Archive improperly handles input. An attacker who successfully exploited these vulnerabilities could cause the PI Data Archive to stop responding in a way that causes data corruption and loss.
 
All 21 high-level security issues are network accessible with 3 exposed before authentication. The PI Data Archive receives network input on TCP/IP port 5450 by default and network input is required for normal operation of the PI Data Archive.

The 21 high-level security issues that are addressed in Data Archive 2015 include:  

Affected Software

Versions of Data Archive prior to 3.4.395.64
 

Recommendation

Users and administrators are encouraged to review Data Archive 2015 Release Notes and upgrade to Data Archive version 3.4.395.64 to obtain the fixes to the aforementioned vulnerabilities.
 

When OSIsoft issued this security bulletin was it aware of this vulnerability being exploited?

No known public exploits specifically target these vulnerabilities.
 

Defensive Measures

Limiting access to port 5450 reduces exposure to the high severity vulnerabilities. A firewall can be used to consolidate network access from application servers like PI Coresight, PI Interfaces, and other trusted workstations. A firewall can also block outbound connections from a PI Server to help contain malware activity. Your IT engineer can advise you about how best to do this for your organization's architecture.

For a list of PI System firewall port requirements, see knowledge base article KB01162 - Firewall Port Requirements: https://techsupport.osisoft.com/Troubleshooting/KB/KB01162
 
Impact and severity of vulnerabilities can be reduced through industry accepted IT practices.  OSIsoft technical support provides guidance on architectural approaches, backup procedures, network defenses, and operating system configuration. Guidance specific to PI Data Archive are referenced at the end of this advisory and should be considered if PI Data Archive upgrade plans are not viable for your environment.

For a starting point on PI System security best practices, see knowledge base article KB00833 - Seven best practices for securing your PI Server: https://techsupport.osisoft.com/Troubleshooting/KB/KB00833
 

References

Common Weakness Enumeration (CWE): http://cwe.mitre.org/
Common Vulnerablity Scoring System (CVSS): https://nvd.nist.gov/cvss.cfm
Security Development Lifecycle (SDL): http://www.microsoft.com/en-us/sdl/default.aspx
KB00833 - Seven best practices for securing your PI Server: https://techsupport.osisoft.com/Troubleshooting/KB/KB00833
KB00994 - Whitelisting with AppLocker: https://techsupport.osisoft.com/Troubleshooting/KB/KB00994
KB00649 - PI Server support for Windows Server Core: https://techsupport.osisoft.com/Troubleshooting/KB/KB00649
KB01162 - Firewall Port Requirements: https://techsupport.osisoft.com/Troubleshooting/KB/KB01162
PI System Architecture: http://www.osisoft.com/software-support/what-is-pi/Architecture.aspx

© 2015 OSIsoft LLC. All Rights Reserved.