#VU7100 Improper authentication in PI Data Archive
Vulnerability identifier: #VU7100
Vulnerability risk: Low
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
PI Data Archive
Client/Desktop applications /
Software for archiving
Vendor: OSIsoft
Description
The vulnerability allows a remote attacker to gain access to the system.
The weakness exists due to a flaw in PI Network Manager using older protocol versions. A remote attacker can authenticate with a server and then cause PI Network Manager to behave in an undefined manner.
Successful exploitation results may result in denial of service
Mitigation
Update to version 2017.
Vulnerable software versions
PI Data Archive: 2015 - 2016
External links
http://ics-cert.us-cert.gov/advisories/ICSA-17-164-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
