7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
High
0.035 Low
EPSS
Percentile
91.6%
This updated advisory is a follow-up to the original advisory titled ICSA-20-133-02 OSIsoft PI System that was published May 12, 2020, on the ICS webpage on us-cert.gov.
Successful exploitation of these vulnerabilities could allow an attacker to access unauthorized information, delete or modify local processes, and crash the affected device.
The following versions of PI System are affected:
CVE-2020-10610, CVE-2020-10608, CVE-2020-10606:
--------- Begin Update A Part 1 of 2 ---------
--------- End Update A Part 1 of 2 ---------
CVE-2020-10604, CVE-2020-10602:
CVE-2020-10600:
CVE-2019-10768:
CVE-2020-10600, CVE-2020-10614, CVE-2019-18244:
A local attacker can modify a search path and plant a binary to exploit the affected PI System software to take control of the local computer at Windows system privilege level, resulting in unauthorized information disclosure, deletion, or modification.
CVE-2020-10610 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker can plant a binary and bypass a code integrity check for loading PI System libraries. This exploitation can target another local user of PI System software on the computer to escalate privilege and result in unauthorized information disclosure, deletion, or modification.
CVE-2020-10608 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker can exploit incorrect permissions set by affected PI System software. This exploitation can result in unauthorized information disclosure, deletion, or modification if the local computer also processes PI System data from other users, such as from a shared workstation or terminal server deployment.
CVE-2020-10606 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A remote, unauthenticated attacker could crash PI Network Manager service through specially crafted requests. This can result in blocking connections and queries to PI Data Archive.
CVE-2020-10604 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An authenticated remote attacker could crash PI Network Manager due to a race condition. This can result in blocking connections and queries to PI Data Archive.
CVE-2020-10602 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
An authenticated remote attacker could crash PI Archive Subsystem when the subsystem is working under memory pressure. This can result in blocking queries to PI Data Archive.
CVE-2020-10600 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H).
An authenticated remote attacker could add or modify internal object properties, resulting in undefined behavior.
CVE-2019-10768 and CVE-2019-11358 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision mobile to a vulnerable webpage due to a known issue in a third-party component.
CVE-2020-10643 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).
An authenticated remote attacker with write access to PI Vision databases could inject code into a display. Unauthorized information disclosure, deletion, or modification is possible if a victim views the infected display.
CVE-2020-10614 has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:H).
A local attacker could view sensitive information in log files when service accounts are customized during installation or upgrade of PI Vision. The update fixes a previously reported issue.
CVE-2019-18244 has been assigned to this vulnerability. A CVSS v3 base score of 5.1 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
William Knowles, Senior Security Consultant at Applied Risk, working with OSIsoft, reported vulnerabilities to CISA.
--------- Begin Update A Part 2 of 2 ---------
OSIsoft provides the following security updates to mitigate the reported vulnerabilities:
OSIsoft reports further action should be taken after applying the security updates. Remove PI Asset Framework (AF) Client .NET 3.5 after verifying OSIsoft products that include the PI AF Client, such as PI ProcessBook, PI DataLink and other PI System desktop applications have been upgraded to 2015 (as well as later versions) in order to eliminate exposure to CVE-2020-10608.
For PI System servers and interface nodes that are normally unattended, limit console and remote desktop logon access to authorized administrators.
Individual updates for core PI System components are available. Additionally, the following OSIsoft product installation kits have been re-released to automatically deliver the updated components:
Client
Server
Connectors
OSIsoft reports not all products have been rebundled to include the affected update.
Contact OSIsoft support for guidance on products missing that use affected components that are missing from the currently available releases.
--------- End Update A Part 2 of 2 ---------
CVE-2020-10610—Manage permissions on HKLM\Software\PISystem and HKLM\WOW6432Node\Software\PISystem registry keys to block a high impact exploit path. See OSIsoft customer portal knowledge article PI System Registry Security Recommendations for details on setting registry permissions.
CVE-2019-18244—Provision and use domain Group Managed Service Accounts or use the default NetworkService account to run PI Vision AppPools. There is no exposure to this vulnerability when using either of these account types. To limit exposure in case standard domain account is used to run PI Vision AppPools, remove the password entry from the setup log files immediately.
OSIsoft reports the following measures can be used to lower likelihood of exploitation:
CVE-2020-10610, CVE-2020-10608, CVE-2020-10606—Migrate standard users to PI Vision and browser-based access to PI System data.
CVE-2020-10608—Restrict network connections from PI client workstations to trusted AF servers (TCP Port 5457).
CVE-2020-10606—Disable unused PI Buffering services from PI client workstations (PI Buffer Subsystem, PI Buffer Server).
CVE-2019-10768, CVE-2020-10600, CVE-2020-10614—Limit write access to PI Vision displays to trusted users.
The following measures can be used to lower the potential impact of exploitation:
CVE-2020-10610 and CVE-2020-10608—Deploy application whitelisting solutions with enforcement for approved DLLs:
For a list of PI System firewall port requirements, see knowledge base article KB01162 - Firewall Port Requirements.
CVE-2020-10604, CVE-2020-10602, CVE-2020-10600—Fully configure Windows authentication for the PI System and disable legacy authentication methods. For a starting point on PI System security best practices, see knowledge base article KB00833 - Seven best practices for securing your PI Server.
For more information and workaround details for these vulnerabilities, please refer to OSIsoft’s Security Bulletin (registration required): OSIsoft Updates PI System and Common Components.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10768
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18244
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10600
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10602
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10604
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10606
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10608
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10610
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10614
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10643
customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=000026046
customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=000027258
customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=000027554
customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=KB00994
customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=KB01162
customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=KB01892
cwe.mitre.org/data/definitions/20.html
cwe.mitre.org/data/definitions/248.html
cwe.mitre.org/data/definitions/276.html
cwe.mitre.org/data/definitions/347.html
cwe.mitre.org/data/definitions/427.html
cwe.mitre.org/data/definitions/476.html
cwe.mitre.org/data/definitions/476.html
cwe.mitre.org/data/definitions/532.html
cwe.mitre.org/data/definitions/79.html
cwe.mitre.org/data/definitions/79.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=OSIsoft%20PI%20System%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-advisories/icsa-20-133-02
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-20-133-02&title=OSIsoft%20PI%20System%20%28Update%20A%29
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-20-133-02
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-20-133-02
www.us-cert.gov/ics
www.us-cert.gov/ics
www.us-cert.gov/ics/recommended-practices
www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B
www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=OSIsoft%20PI%20System%20%28Update%20A%29&body=www.cisa.gov/news-events/ics-advisories/icsa-20-133-02
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
High
0.035 Low
EPSS
Percentile
91.6%