OSIsoft PI System (Update A)

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to access unauthorized information, delete or modify local processes, and crash the affected device.

CVEs (10)

Remediations

• OSIsoft provides the following security updates to mitigate the reported vulnerabilities:
• OSIsoft reports further action should be taken after applying the security updates. Remove PI Asset Framework (AF) Client .NET 3.5 after verifying OSIsoft products that include the PI AF Client, such as PI ProcessBook, PI DataLink and other PI System desktop applications have been upgraded to 2015 (as well as later versions) in order to eliminate exposure to CVE-2020-10608.
• For PI System servers and interface nodes that are normally unattended, limit console and remote desktop logon access to authorized administrators.
• Individual updates for core PI System components are available. Additionally, the following OSIsoft product installation kits have been re-released to automatically deliver the updated components:
• Client
• Server
• Connectors
• OSIsoft reports not all products have been rebundled to include the affected update.
• Contact OSIsoft support for guidance on products missing that use affected components that are missing from the currently available releases.
• CVE-2020-10610 Manage permissions on HKLM\Software\PISystem and HKLM\WOW6432Node\Software\PISystem registry keys to block a high impact exploit path. See OSIsoft customer portal knowledge article PI System Registry Security Recommendations for details on setting registry permissions.
• CVE-2019-18244 Provision and use domain Group Managed Service Accounts or use the default NetworkService account to run PI Vision AppPools. There is no exposure to this vulnerability when using either of these account types. To limit exposure in case standard domain account is used to run PI Vision AppPools, remove the password entry from the setup log files immediately. OSIsoft reports the following measures can be used to lower likelihood of exploitation:
• CVE-2020-10610, CVE-2020-10608, CVE-2020-10606 Migrate standard users to PI Vision and browser-based access to PI System data.
• CVE-2020-10608 Restrict network connections from PI client workstations to trusted AF servers (TCP Port 5457).
• CVE-2020-10606 Disable unused PI Buffering services from PI client workstations (PI Buffer Subsystem, PI Buffer Server).
• CVE-2019-10768, CVE-2020-10600, CVE-2020-10614 Limit write access to PI Vision displays to trusted users.
• The following measures can be used to lower the potential impact of exploitation:
• CVE-2020-10610 and CVE-2020-10608 Deploy application whitelisting solutions with enforcement for approved DLLs:
• For a list of PI System firewall port requirements, see knowledge base article KB01162 - Firewall Port Requirements.
• CVE-2020-10604, CVE-2020-10602, CVE-2020-10600 Fully configure Windows authentication for the PI System and disable legacy authentication methods. For a starting point on PI System security best practices, see knowledge base article KB00833 - Seven best practices for securing your PI Server.
• For more information and workaround details for these vulnerabilities, please refer to OSIsoft 's Security Bulletin (registration required): OSIsoft Updates PI System and Common Components.

Affected Vendors

Affected Products (28)

Affected Sectors

Multiple Sectors