Alert
AL00321 - OSIsoft releases PI ProcessBook 2015 R2 SP1 and PI ActiveView 2015 R2 SP1 with security updates
2017-06-13

Summary

PI ProcessBook and PI ActiveView offer scripting capability with Visual Basic for Applications (VBA). The components for this capability packaged with versions 2015 R2 (3.6.0) and earlier included older Microsoft Office shared components that are no longer supported by Microsoft. Some of these components contain known vulnerabilities.

PI ProcessBook 2015 R2 SP1 (3.6.1) and PI ActiveView 2015 R2 SP1 (3.6.1) no longer include the vulnerable components, so OSIsoft recommends upgrading the affected software package to version 2015 R2 SP1 to address the issue.

The resolved issue of vulnerable components was rated High (CVSS: 7.0-10) using the Common Vulnerability Scoring System (CVSS).

Impact

There are multiple disclosed vulnerabilities with the Microsoft Office shared components. The highest impact of the known vulnerabilities is remote code execution. If Microsoft Office 2003 or 2007 is installed alongside PI ProcessBook or PI ActiveView with all available Microsoft updates applied, the installation is not susceptible to the disclosed vulnerabilities.

However, since the Microsoft Office shared components are no longer supported, there may be other undisclosed vulnerabilities that are not addressed by updates.

Affected Software

This issue applies to:
  • PI ProcessBook 2015 R2 (3.6.0) and earlier
  • PI ActiveView 2015 R2 (3.6.0) and earlier
Note: If the affected software above has been uninstalled, the host machine may still have the vulnerable components from VBA 6.5. You can determine if the vulnerable components are still on the system by the presence of the following files:
 
  • %CommonProgramFiles(x86)%\Microsoft Shared\Office10\MSO.dll
  • %ProgramFiles(x86)%\Microsoft Office\Office\MSO9.dll
You can remove these components by following Step 2 under "Recommendation."

Recommendation

Upgrade installations to PI ProcessBook 2015 R2 SP1 (3.6.1) and PI ActiveView 2015 R2 SP1 (3.6.1).The upgrade removes the vulnerable components and installs VBA 7.1, which is backwards compatible, to maintain scripting capabilities. The upgrade does not completely remove all VBA 6.5 components in case other applications utilize them. If no Microsoft Office or third-party programs require VBA 6.5, remove it after the upgrade.

Step 1: Upgrade affected software to version 2015 R2 SP1 (3.6.1)
For details on the upgrade and this issue, see "Security Information and Guidance" in Appendix A of the release notes for PI ProcessBook or PI ActiveView.

Step 2: Remove VBA 6.5
For details on removing VBA 6.5 see KB01577.

Note: This upgrade will also upgrade the data access components to PI AF Client 2016 R2 SP1 and PI SDK 2016, resolving the issue disclosed in AL00308.
 

When OSIsoft issued this security bulletin, was it aware of this vulnerability being exploited?

No exploits for these components have been identified to specifically target PI ProcessBook or PI ActiveView.
 

Defensive Measures

Several defensive measures are available to reduce exposure to this issue until workstations are upgraded.

EMET
For additional protection, users can run PI ProcessBook and PI ActiveView under Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). For details regarding EMET and PI ProcessBook, please see KB01289.

Display Access Control
Protect PI ProcessBook displays by only granting write access to users that need to perform edits to display files. This access control is especially important if displays are accessible from a central repository such as a network file share.

Least Privilege
To reduce potential impact, operate PI ProcessBook or PI ActiveView as a user without administrative privileges to the local operating system.

Firewall
Use a host-based firewall to limit connections to workstations with affected software. Consult your IT engineer for advice on how to best implement these firewall restrictions in your organization's architecture.

General Considerations

Impact and severity of vulnerabilities can be reduced through industry-accepted IT practices.

OSIsoft technical support provides guidance on architectural approaches, backup procedures, network defenses, and operating system configuration. For a starting point on PI System security best practices, see knowledge base article KB00833 "Seven best practices for securing your PI Server."

This alert was published in accordance with OSIsoft’s Ethical Disclosure Policy to inform administrators of potential risks, so that they can take actions to minimize the effects of the vulnerability.

References