First published: Fri Jul 24 2020(Updated: )
An authenticated remote attacker could crash PI Archive Subsystem when the subsystem is working under memory pressure. This can result in blocking queries to PI Data Archive (2018 SP2 and prior versions).
Credit: ics-cert@hq.dhs.gov
Affected Software | Affected Version | How to fix |
---|---|---|
OSIsoft PI Data Archive | <=2019 | |
OSIsoft PI Asset Framework (AF) Client | ||
OSIsoft PI Software Development Kit (SDK) | ||
OSIsoft PI API | ||
OSIsoft PI API | ||
OSIsoft PI Buffer Subsystem | ||
OSIsoft PI Connector for BACnet | ||
OSIsoft PI Connector for CygNet | ||
OSIsoft PI Connector for DC Systems RTscada | ||
OSIsoft PI Connector for Ethernet/IP | ||
OSIsoft | ||
OSIsoft PI Connector for Ping | ||
OSIsoft PI Connector for Wonderware Historian | ||
OSIsoft PI Connector Relay | ||
OSIsoft PI Data Archive | ||
OSIsoft PI Data Collection Manager | ||
OSIsoft PI Integrator for Business Analytics | ||
OSIsoft PI Interface Configuration Utility | ||
OSIsoft PI to OCS |
Fully configure Windows authentication for the PI System and disable legacy authentication methods. For a starting point on PI System security best practices, see knowledge base article KB00833 -Seven best practices for securing your PI Server. (https://customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=KB00833)
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-10600 has a severity that can allow an authenticated remote attacker to crash the PI Archive Subsystem.
You can fix CVE-2020-10600 by updating to the latest version of the affected software, specifically PI Data Archive 2018 SP3 or later.
CVE-2020-10600 affects PI Data Archive versions prior to and including 2018 SP3, along with various other OSIsoft components.
Exploitation of CVE-2020-10600 could lead to blocking queries to the PI Data Archive, impacting system functionality.
Yes, an attacker must be authenticated to exploit CVE-2020-10600.