Alert
AL00344 - OSIsoft releases security update in PI Vision 2017 R2 SP1
2018-12-11

Security Bulletin Title: OSIsoft releases security update in PI Vision 2017 R2 SP1

Published Date: 11-Dec-2018

Summary

PI Vision 2017 R2 SP1 resolves a cross-site scripting vulnerability rendering displays which reference AF elements and attributes containing JavaScript. This vulnerability requires the ability of authorized AF users to store JavaScript in AF elements and attributes.    

OSIsoft recommends upgrading the affected software package to address this issue. The resolved issue was rated Medium (CVSS 4.0-7.0) using the Common Vulnerability Scoring System (CVSS).

Impact

Successful exploitation of this vulnerability would allow an attacker to read and modify the contents of the PI Vision web page and data related to the PI Vision application in the victim browser.

The issue was scored as a 4.8 (Medium) on the CVSS 3.0 scale with the following vector: AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N.

Affected Software

This issue applies to PI Vision 2017 and PI Vision 2017 R2.

Recommendation

Upgrade to PI Vision 2017 R2 SP1 to address this issue.

When OSIsoft issued this security bulletin was it aware of this vulnerability being exploited?

This vulnerability was self-identified by OSIsoft.  There have been no exploit activities reported related to this vulnerability.

Defensive Measures

All access to the AF Server is protected by Windows authentication, so the modifications to AF data items required by an attacker would have to be performed by a user with write access to either the AF hierarchy or templates.  Periodic review of AF Server permissions to ensure only intended users are granted write access to elements, element templates, and event frame templates is a good practice to reduce exposure.  

Similarly, which data items are available to PI Vision is controlled by the PI Vision Administrators through the Administrative site.  Only add data sources to PI Vision that you can verify as legitimate with appropriate access control configured.  

For additional guidance on web security for PI Vision, please see KB01631 - Security Tips for PI Vision.

General Considerations

For a list of PI System firewall port requirements, see knowledge base article KB01162 - Firewall Port Requirements.
Impact and severity of vulnerabilities can be reduced through industry accepted IT practices. OSIsoft technical support provides guidance on architectural approaches, backup procedures, network defenses, and operating system configuration.

For a starting point on PI System security best practices, see knowledge base article KB00833 - Seven best practices for securing your PI Server.

This alert was published in accordance with OSIsoft’s Ethical Disclosure Policy to inform administrators of potential risks, so that they can take actions to minimize the effects of the vulnerability.

References

Common Vulnerability Scoring System (CVSS): https://nvd.nist.gov/cvss.cfm
Security Development Lifecycle (SDL): http://www.microsoft.com/en-us/sdl/default.aspx

Common Vulnerability Scoring System (CVSS) Score: 4.8
CVSS VectorAV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
OSIsoft's Ethical Disclosure Policyhttps://techsupport.osisoft.com/Troubleshooting/Ethical-Disclosure-Policy