SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-778126296] OSIsoft PI Web API 2017

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-06-13OtherOSIsoftThese issues were found by OSIsoft and reported once they had prepared an upgrade to fix them. N/ACVE-2017-7926 N/AN/AN/A

Source

						
							
								
#
# OSIsoft PI Web API 2017
#


### VULNERABLE VENDOR
OSIsoft


### VULNERABLE PRODUCT
PI Web API 2017



### RESEARCHER
These issues were found by OSIsoft and reported once they had prepared an upgrade to fix them.



### AFFECTED PRODUCTS

OSIsoft reports that the vulnerability affects the following PI Web API products:

PI Web API versions prior to 2017 (1.9.0).



### IMPACT

Successful exploitation of this vulnerability may allow an attacker to access the PI System with the privileges of a legitimate client user. PI System data alteration is possible if the client user has sufficient access to write data.



### VULNERABILITY OVERVIEW

CROSS-SITE REQUEST FORGERY CWE-352
The vulnerability allows cross-site request forgery (CSRF) attacks to occur when an otherwise-unauthorized cross-site request is sent from a browser the server has previously authenticated.
CVE-2017-7926 has been assigned to this vulnerability.
OSIsoft calculated a CVSS v3 base score of 7.1; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L)





### BACKGROUND

Critical Infrastructure Sectors: Multiple Sectors
Countries/Areas Deployed: Worldwide
Company Headquarters Location: United States




### MITIGATION

OSIsoft recommends that users upgrade to the PI Web API version 2017 (1.9.0) and enable CSRF defense. To enable this option, set the configuration attribute 'EnableCSRFDefense' to 'True' in the PI Web API System Configuration element. This element is located at the path "..\OSIsoft\PI Web API\PIWebAPIMachineName\System Configuration" in PI AF Server Configuration database.

A new installation of PI Web API 2017 (1.9.0) enables CSRF protection by default.

Please see alert AL00316 on the OSIsoft web page for more information about this issue:

https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00316