Alert
AL00321 - OSIsoft releases PI ProcessBook 2015 R2 SP1 and PI ActiveView 2015 R2 SP1 with security updates
2017-06-13

Summary

PI ProcessBook and PI ActiveView offer scripting capability with Visual Basic for Applications (VBA).  The components packaged with PI ProcessBook and PI ActiveView prior to 2015 R2 SP1 for this capability included older Microsoft Office shared components, which are no longer supported by Microsoft.  Some of these components contain known vulnerabilities.

PI ProcessBook 2015 R2 SP1 and PI ActiveView 2015 R2 SP1 no longer include the vulnerable components, so OSIsoft recommends upgrading the affected software package to address this issue.  The resolved issue was rated High (CVSS: 7.0-10) using the Common Vulnerability Scoring System (CVSS).

Impact

There are multiple disclosed vulnerabilities with the Microsoft Office shared components.  Additionally, since these components are no longer supported, there may be further undisclosed vulnerabilities.  If Microsoft Office 2003 or 2007 is installed, with all available updates applied, alongside PI ProcessBook or PI ActiveView, then the installation is not susceptible to the disclosed vulnerabilities.

The highest impact of the known vulnerabilities is remote code execution.

Affected Software

This issue applies to:
  • PI ProcessBook prior to 2015 R2 SP1
  • PI ActiveView prior to 2015 R2 SP1

Recommendation

Upgrade to PI ProcessBook 2015 R2 SP1 and PI ActiveView 2015 R2 SP1.  For details on the upgrade and this issue, see "Security Information and Guidance" in Appendix A of the release notes. For details on removing VBA 6.5 after the upgrade, please see KB01577.

When OSIsoft issued this security bulletin, was it aware of this vulnerability being exploited?

No exploits for these components have been identified to specifically target PI ProcessBook or PI ActiveView.

Defensive Measures

For additional protection, users can run PI ProcessBook and PI ActiveView under Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).  For details regarding EMET and PI ProcessBook, please see KB01289.
 

General Considerations

Impact and severity of vulnerabilities can be reduced through industry-accepted IT practices.

OSIsoft technical support provides guidance on architectural approaches, backup procedures, network defenses, and operating system configuration.  
For a starting point on PI System security best practices, see knowledge base article KB00833 - Seven best practices for securing your PI Server. 

References

Common Weakness Enumeration (CWE): http://cwe.mitre.org/
Common Vulnerability Scoring System (CVSS): https://nvd.nist.gov/cvss.cfm
Security Development Lifecycle (SDL): http://www.microsoft.com/en-us/sdl/default.aspx
PI System Architecture: http://www.osisoft.com/software-support/what-is-pi/Architecture.aspx

© 2017 OSIsoft LLC. All Rights Reserved. 
3-Apr-2017: <DP> Harry Paul sent out a note that the release of this will be delayed by 1 month.