Alert
AL00339 - OSIsoft releases security updates in PI Data Archive 2017 R2
2018-02-13

Summary

This alert lists five security-related issues resolved in PI Data Archive 2017 R2:
 
  • Issue (1) a local attacker could escalate privilege due to insecure default configuration items (CWE-276).
  • Issue (2) a remote, unauthenticated attacker could crash PI Network Manager through specially-crafted requests due to improper handling of serialization or comparison of a variable.
  • Issue (3) a remote, unauthenticated attacker could crash PI Network Manager through specially-crafted requests due to improper input validation.
  • Issue (4) a remote, unauthenticated attacker could authenticate and cause PI Network Manager to behave in an undefined manner through specially-crafted requests due to protocol flaws.
  • Issue (5) a remote, unauthenticated attacker could expose collective change records in the clear or spoof a server within a collective due to protocol flaws in High Availability authentication.
OSIsoft recommends upgrading the PI Data Archive to address these security issues. Issue (1) and Issue (2) were rated High (CVSS: 7.0-10) using the Common Vulnerability Scoring System (CVSS). Scoring is available for all issues in the Impact section below.

Note: Issue (4) and Issue (5) were previously disclosed in security alert AL00315, but are also included in this bulletin for completeness since a significant portion of customers will upgrade from PI Data Archive 2016 R2.
 

Impact Successful exploitation of the now-resolved issues have the following security impact:

  • Issue (1) can result in a local attacker escalating privilege to full control of the PI Data Archive server.
  • Issue (2) and ​Issue (3) can result in shutdown of network connections to the PI Data Archive.
  • Issue (4) can result in undefined behavior within the PI Network Manager. (Covered in AL00315)
  • ​Issue (5) can allow spoofing of a PI Data Archive collective member. (Covered in AL00315)
Common Vulnerability Scoring System (CVSS) Evaluations
 
Issue Score Vector
1 7.3 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
2 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
5 8.9 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
 

Affected Software

The issues described in this bulletin apply to versions of the PI Data Archive prior to PI Data Archive 2017 R2.
 

Recommendation

OSIsoft recommends upgrading to PI Data Archive 2017 R2, as these vulnerabilities have been resolved and addressed in this version of the software.
 

When OSIsoft issued this security bulletin was it aware of this vulnerability being exploited?

No exploits for these components have been identified.
 

Defensive Measures

​In addition to the recommendation to upgrade to PI Data Archive 2017 R2, this alert highlights some specific defensive measures:

Issue (1): Implement restrictions on standard users entitled to local logon, remote desktop, and any other interactive access method to the PI Data Archive server. Avoid unnecessary exposure to this issue by limiting use of thick clients and web applications to access the PI Data Archive server. Most PI System administrative tasks can be performed through PI SMT or leveraging the PowerShell Tools for the PI System remotely.

Further reduce exposure with application whitelisting through Hypervisor-protected Code Integrity (HVCI) as implemented by Device Guard in the Windows 10 and Server 2016 platform. For an introduction to Device Guard, see Overview of Device Guard in Windows Server 2016 on Microsoft TechNet. Application whitelisting makes it more difficult for standard user accounts to execute unapproved applications. HVCI provides more rigid enforcement than traditional application whitelisting through AppLocker.

Also, enable Windows auditing or equivalent operating system level security logging, such as Microsoft Sysinternals Sysmon, to facilitate detection of unauthorized privileged access to the PI Data Archive server.

Issue (2), Issue (3) and Issue (4): Reduce exposure by limiting direct connections to the PI Data Archive to only valid network locations, such as servers hosting PI Connectors, PI Interfaces and PI Vision. If thick client access to the PI Data Archive is required, such as with PI ProcessBook and PI DataLink, consider limiting the direct access to the subnet where thick client users reside.

Issue (5): High Availability communication between the primary member and secondary members of a collective can be protected in an IPsec or VPN tunnel. For an option native to the Windows operating system, the Windows Advanced Firewall can be configured to allow only secure connections through Connection Security Rules, which use IPsec. For more information on Windows connection security rules, see Understanding Windows Connection Security Rules on Microsoft TechNet.
 

General Considerations

For a list of PI System firewall port requirements, refer to the Knowledge Base article KB01162 - Firewall Port Requirements.

For a starting point on PI System security best practices, refer to the Knowledge Base article KB00833 - Seven best practices for securing your PI Server.

This alert was published in accordance with OSIsoft’s Ethical Disclosure Policy to inform administrators of potential risks, so that they can take actions to minimize the effects of the vulnerability.
 

References

Common Weakness Enumeration (CWE): http://cwe.mitre.org/
Common Vulnerability Scoring System (CVSS): https://nvd.nist.gov/cvss.cfm
Security Development Lifecycle (SDL): http://www.microsoft.com/en-us/sdl/default.aspx
OSIsoft's Ethical Disclosure Policy: https://techsupport.osisoft.com/Troubleshooting/Ethical-Disclosure-Policy