Alert
AL00324 - Security updates for PI Integrator For Business Analytics 2016, PI Integrator for Microsoft Azure 2016, and PI Integrator for SAP HANA 2016
2017-07-11

Summary

OSIsoft has released the PI Integrator for Business Analytics 2016 R2, PI Integrator for Microsoft Azure 2016 R2 SP1, and PI Integrator for SAP HANA 2017 (a restricted integrator available from SAP) that resolve stored cross-site scripting (XSS) and privilege escalation issues in previous versions of those applications. In combination these issues could result in unauthorized access to PI System data and increased risk for legitimate users of the PI Integrators. The resolved issues were rated using the Common Vulnerability Scoring System (CVSS), as follows:
  • 1 high (CVSS: 7.0-10)
  • 1 medium (CVSS: 4.0-7.0)
These issues were self-identified as part of the OSIsoft Security Development Lifecycle (SDL) process. OSIsoft recommends that you upgrade the affected software package to address these issues.

Impact

An unauthorized user could gain privileged access to the PI Integrator application and views of PI System data. A miscreant could also store malicious script in the application database and subsequently execute it on the targeted user's machine. For instance, the targeted user could be redirected to a malicious website that attempts to compromise browser defenses or fool the user into disclosing sensitive information.

The high-level security issues addressed here include:

Affected Software

This issue applies to versions prior to:
  • PI Integrator for SAP HANA 2017
  • PI Integrator for Business Analytics 2016 R2 - Data Warehouse (All Editions)
  • PI Integrator for Business Analytics 2016 R2 - Business Intelligence (All Editions)
  • PI Integrator for Business Analytics and SAP HANA SQL Utility 2016 R2
  • PI Integrator for Microsoft Azure 2016 R2 SP1

Recommendation

OSIsoft recommends that customers update their software at the earliest opportunity. Users and administrators are encouraged to upgrade to PI Integrator for Business Analytics 2016 R2 or later, PI Integrator for Microsoft Azure 2016 R2 SP1 or later, or PI Integrator for SAP HANA 2017 or later for the corresponding edition.

When OSIsoft issued this security bulletin was it aware of this vulnerability being exploited?

No, these vulnerabilities were self-identified by OSIsoft, and there are no known exploits at this time. OSIsoft will not publicly disclose information that a malicious party could use towards developing an exploit. Please see our Ethical Disclosure Policy for more information on OSIsoft’s philosophy and motivation regarding vulnerability disclosures.

Defensive Measures

OSIsoft recommends that you run the PI Integrator on a secured internal control or corporate network.  Explicitly grant network access to the PI Integrator web application by scoping firewall rules to trusted hosts.  

​Where practical, consider defenses for safer web browsing including proxy servers and web browser sandbox solutions.

General Considerations

Impact and severity of vulnerabilities can be reduced through industry-accepted IT practices. OSIsoft technical support provides guidance on architectural approaches, backup procedures, network defenses, and operating system configuration. For a starting point on PI System security best practices, see knowledge base article KB00833 - Seven best practices for securing your PI Server.

This alert was published in accordance with OSIsoft’s Ethical Disclosure Policy to inform administrators of potential risks, so that they can take actions to minimize the effects of the vulnerability.

References

Common Weakness Enumeration (CWE): http://cwe.mitre.org/
Common Vulnerability Scoring System (CVSS): https://nvd.nist.gov/cvss.cfm
Security Development Lifecycle (SDL): http://www.microsoft.com/en-us/sdl/default.aspx

Common Vulnerability Scoring System (CVSS) Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
National Vulnerability Database (NVD) Rating: CWE-285

Common Vulnerability Scoring System (CVSS) Score: 6.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H
National Vulnerability Database (NVD) Rating: CWE-79

OSIsoft's Ethical Disclosure Policy: https://techsupport.osisoft.com/Troubleshooting/Ethical-Disclosure-Policy