What is CVE-2020-10606?

CVE-2020-10606 is a vulnerability in OSIsoft PI System software that allows a local attacker to exploit incorrect permissions and gain unauthorized access to sensitive information or modify/delete data.

Which products and versions are affected by CVE-2020-10606?

The following products and versions are affected: Osisoft Pi Api 1.6.8.26, Osisoft Pi Api 2.0.2.5 (with Windows Integrated Security), Osisoft Pi Buffer Subsystem 4.8.0.18, Osisoft Pi Connector (Ping) 1.0.0.54, Osisoft Pi Connector (Ethernet/IP) 1.1.0.10, Osisoft Pi Connector (BACnet) 1.2.0.6, Osisoft Pi Connector (DC Systems RTScada) 1.2.0.42, Osisoft Pi Connector (Siemens Simatic PCS 7) 1.2.1.71, Osisoft Pi Connector (IEC 60870-5-104) 1.2.2.79, Osisoft Pi Connector (HART-IP) 1.3.0.1, Osisoft Pi Connector (OPC-UA) 1.3.0.130, Osisoft Pi Connector (UFL) 1.3.1.135, Osisoft Pi Connector (CygNet) 1.4.0.17, Osisoft Pi Connector (Wonderware Historian) 1.5.0.88, Osisoft Pi Connector Relay 2.5.19.0, OSIsoft PI Data Archive 3.4.430.460, Osisoft Pi Data Collection Manager 2.5.19.0, Osisoft Pi Integrator (Business Analytics) 2.2.0.183, Osisoft Pi Interface Configuration Utility 1.5.0.7, Osisoft Pi To Ocs 1.1.36.0.

What is the severity of CVE-2020-10606?

The severity of CVE-2020-10606 is high, with a CVSS score of 7.8.

What can a local attacker do with CVE-2020-10606?

A local attacker can exploit CVE-2020-10606 to gain unauthorized access, disclose sensitive information, and modify or delete data.

Where can I find more information about CVE-2020-10606?

You can find more information about CVE-2020-10606 at the following reference: https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02

Vulnerability/
CVE-2020-10606

high

7.8

CWE

276

24/7/2020

4/8/2024

CVE-2020-10606

First published: Fri Jul 24 2020(Updated: )

In OSIsoft PI System multiple products and versions, a local attacker can exploit incorrect permissions set by affected PI System software. This exploitation can result in unauthorized information disclosure, deletion, or modification if the local computer also processes PI System data from other users, such as from a shared workstation or terminal server deployment.

Credit: ics-cert@hq.dhs.gov

Affected Software	Affected Version	How to fix
OSIsoft PI Asset Framework (AF) Client
OSIsoft PI Software Development Kit (SDK)
OSIsoft PI API
OSIsoft PI API
OSIsoft PI Buffer Subsystem
OSIsoft PI Connector for BACnet
OSIsoft PI Connector for CygNet
OSIsoft PI Connector for DC Systems RTscada
OSIsoft PI Connector for Ethernet/IP
OSIsoft
OSIsoft PI Connector for Ping
OSIsoft PI Connector for Wonderware Historian
OSIsoft PI Connector Relay
OSIsoft PI Data Archive
OSIsoft PI Data Collection Manager
OSIsoft PI Integrator for Business Analytics
OSIsoft PI Interface Configuration Utility
OSIsoft PI to OCS
OSiSoft PI SDK	<=1.6.8.26
OSiSoft PI SDK	<=2.0.2.5
OSIsoft PI Buffer Subsystem	<=4.8.0.18
Osisoft PI Connector	<=1.0.0.54
Osisoft PI Connector	<=1.1.0.10
Osisoft PI Connector	<=1.2.0.6
Osisoft PI Connector	<=1.2.0.42
Osisoft PI Connector	<=1.2.1.71
Osisoft PI Connector	<=1.2.2.79
Osisoft PI Connector	<=1.3.0.1
Osisoft PI Connector	<=1.3.0.130
Osisoft PI Connector	<=1.3.1.135
Osisoft PI Connector	<=1.4.0.17
Osisoft PI Connector	<=1.5.0.88
Osisoft PI Connector	<=2.5.19.0
OSIsoft PI Data Archive	<=3.4.430.460
OSIsoft PI Data Collection Manager	<=2.5.19.0
OSIsoft PI Integrator	<=2.2.0.183
OSIsoft PI Interface Configuration Utility	<=1.5.0.7
OSIsoft PI to OCS	<=1.1.36.0

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

ICSA-20-133-02

Frequently Asked Questions

What is CVE-2020-10606?
CVE-2020-10606 is a vulnerability in OSIsoft PI System software that allows a local attacker to exploit incorrect permissions and gain unauthorized access to sensitive information or modify/delete data.
Which products and versions are affected by CVE-2020-10606?
The following products and versions are affected: Osisoft Pi Api 1.6.8.26, Osisoft Pi Api 2.0.2.5 (with Windows Integrated Security), Osisoft Pi Buffer Subsystem 4.8.0.18, Osisoft Pi Connector (Ping) 1.0.0.54, Osisoft Pi Connector (Ethernet/IP) 1.1.0.10, Osisoft Pi Connector (BACnet) 1.2.0.6, Osisoft Pi Connector (DC Systems RTScada) 1.2.0.42, Osisoft Pi Connector (Siemens Simatic PCS 7) 1.2.1.71, Osisoft Pi Connector (IEC 60870-5-104) 1.2.2.79, Osisoft Pi Connector (HART-IP) 1.3.0.1, Osisoft Pi Connector (OPC-UA) 1.3.0.130, Osisoft Pi Connector (UFL) 1.3.1.135, Osisoft Pi Connector (CygNet) 1.4.0.17, Osisoft Pi Connector (Wonderware Historian) 1.5.0.88, Osisoft Pi Connector Relay 2.5.19.0, OSIsoft PI Data Archive 3.4.430.460, Osisoft Pi Data Collection Manager 2.5.19.0, Osisoft Pi Integrator (Business Analytics) 2.2.0.183, Osisoft Pi Interface Configuration Utility 1.5.0.7, Osisoft Pi To Ocs 1.1.36.0.
What is the severity of CVE-2020-10606?
The severity of CVE-2020-10606 is high, with a CVSS score of 7.8.
What can a local attacker do with CVE-2020-10606?
A local attacker can exploit CVE-2020-10606 to gain unauthorized access, disclose sensitive information, and modify or delete data.
Where can I find more information about CVE-2020-10606?
You can find more information about CVE-2020-10606 at the following reference: https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02

agent/type
collector/mitre-cve
source/MITRE
agent/author
agent/last-modified-date
agent/weakness
agent/description
agent/event
agent/first-publish-date
agent/severity
agent/references
agent/softwarecombine
agent/trending
agent/source
agent/tags
collector/ics-cert-advisory
source/ICS
agent/software-canonical-lookup
agent/software-canonical-lookup-request
collector/nvd-index
vendor/osisoft
canonical/osisoft pi asset framework (af) client
canonical/osisoft pi software development kit (sdk)
canonical/osisoft pi api
canonical/osisoft pi buffer subsystem
canonical/osisoft pi connector for bacnet
canonical/osisoft pi connector for cygnet
canonical/osisoft pi connector for dc systems rtscada
canonical/osisoft pi connector for ethernet/ip
canonical/osisoft
canonical/osisoft pi connector for ping
canonical/osisoft pi connector for wonderware historian
canonical/osisoft pi connector relay
canonical/osisoft pi data archive
canonical/osisoft pi data collection manager
canonical/osisoft pi integrator for business analytics
canonical/osisoft pi interface configuration utility
canonical/osisoft pi to ocs
canonical/osisoft pi sdk
version/osisoft pi sdk/1.6.8.26
version/osisoft pi sdk/2.0.2.5
version/osisoft pi buffer subsystem/4.8.0.18
canonical/osisoft pi connector
version/osisoft pi connector/1.0.0.54
version/osisoft pi connector/1.1.0.10
version/osisoft pi connector/1.2.0.6
version/osisoft pi connector/1.2.0.42
version/osisoft pi connector/1.2.1.71
version/osisoft pi connector/1.2.2.79
version/osisoft pi connector/1.3.0.1
version/osisoft pi connector/1.3.0.130
version/osisoft pi connector/1.3.1.135
version/osisoft pi connector/1.4.0.17
version/osisoft pi connector/1.5.0.88
version/osisoft pi connector/2.5.19.0
version/osisoft pi data archive/3.4.430.460
version/osisoft pi data collection manager/2.5.19.0
canonical/osisoft pi integrator
version/osisoft pi integrator/2.2.0.183
version/osisoft pi interface configuration utility/1.5.0.7
version/osisoft pi to ocs/1.1.36.0