This afternoon the DHS ICS-CERT published twin advisories
for control system vulnerabilities in OSIsoft PI products. Both advisories were
based upon self-disclosed vulnerabilities.
AF Server Advisory
This advisory
describes an input validation vulnerability in the PI AF Server. OSISoft has
produced a new version that mitigates the vulnerability.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit this vulnerability to execute a denial of service
attack.
ICS-CERT reports that the vulnerability is limited to Port
5459 and lists the two OSISoft products (and versions) that require access to
the port. OSIsoft provides a tech document
that lists all of the port requirements for the AF Server. ICS-CERT also
suggests limiting access to the AF Server and OSIsoft notes
that the “Built-in PI AF Identity "World" is mapped to the Windows
Everyone users group by default” and suggests replacing that PI AF Identity.
SQL Database Access Server Advisory
This advisory describes an input validation vulnerability in
the PI SQL Data Access Server. OSIsoft has produced a new version that
mitigates the vulnerability.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to stop responding in a way that may
cause an incomplete update resulting in partial data loss.
ICS-CERT reports that the vulnerability is limited to Port
5461 and 5462 and lists the two OSISoft products (and versions) that require
access to the port. OSIsoft provides a tech document
that lists all of the port requirements for the AF Server.
Posts
No comments:
Post a Comment