First published: Fri Jul 24 2020(Updated: )
In OSIsoft PI System multiple products and versions, a local attacker can plant a binary and bypass a code integrity check for loading PI System libraries. This exploitation can target another local user of PI System software on the computer to escalate privilege and result in unauthorized information disclosure, deletion, or modification.
Credit: ics-cert@hq.dhs.gov
Affected Software | Affected Version | How to fix |
---|---|---|
Osisoft Pi Api | <=1.6.8.26 | |
Osisoft Pi Api | <=2.0.2.5 | |
Osisoft Pi Buffer Subsystem | <=4.8.0.18 | |
Osisoft Pi Connector | <=1.0.0.54 | |
Osisoft Pi Connector | <=1.1.0.10 | |
Osisoft Pi Connector | <=1.2.0.6 | |
Osisoft Pi Connector | <=1.2.0.42 | |
Osisoft Pi Connector | <=1.2.1.71 | |
Osisoft Pi Connector | <=1.2.2.79 | |
Osisoft Pi Connector | <=1.3.0.1 | |
Osisoft Pi Connector | <=1.3.0.130 | |
Osisoft Pi Connector | <=1.3.1.135 | |
Osisoft Pi Connector | <=1.4.0.17 | |
Osisoft Pi Connector | <=1.5.0.88 | |
Osisoft Pi Connector Relay | <=2.5.19.0 | |
OSIsoft PI Data Archive | <=3.4.430.460 | |
Osisoft Pi Data Collection Manager | <=2.5.19.0 | |
Osisoft Pi Integrator | <=2.2.0.183 | |
Osisoft Pi Interface Configuration Utility | <=1.5.0.7 | |
Osisoft Pi To Ocs | <=1.1.36.0 | |
OSIsoft Applications using PI Asset Framework (AF) Client versions prior to and including PI AF Client 2018 SP3 Patch 1, Version 2.10.7.283 | ||
OSIsoft Applications using PI Software Development Kit (SDK) versions prior to and including PI SDK 2018 SP1, Version 1.4.7.602 | ||
OSIsoft PI API for Windows Integrated Security versions prior to and including 2.0.2.5, | ||
OSIsoft PI API versions prior to and including 1.6.8.26 | ||
OSIsoft PI Buffer Subsystem versions prior to and including 4.8.0.18 | ||
OSIsoft PI Connector for BACnet, versions prior to and including 1.2.0.6 | ||
OSIsoft PI Connector for CygNet, versions prior to and including 1.4.0.17 | ||
OSIsoft PI Connector for DC Systems RTscada, versions prior to and including 1.2.0.42 | ||
OSIsoft PI Connector for Ethernet/IP, versions prior to and including 1.1.0.10 | ||
OSIsoft PI Connector for HART-IP, versions prior to and including 1.3.0.1 | ||
OSIsoft PI Connector for Ping, versions prior to and including 1.0.0.54 | ||
OSIsoft PI Connector for Wonderware Historian, versions prior to and including 1.5.0.88 | ||
OSIsoft PI Connector Relay, versions prior to and including 2.5.19.0 | ||
OSIsoft PI Data Archive versions prior to and including PI Data Archive 2018 SP3, Version 3.4.430.460 | ||
OSIsoft PI Data Collection Manager, versions prior to and including 2.5.19.0 | ||
OSIsoft PI Integrator for Business Analytics versions prior to and including 2018 R2 SP1, Version 2.2.0.183 | ||
OSIsoft PI Interface Configuration Utility (ICU) versions prior to and including 1.5.0.7 | ||
OSIsoft PI to OCS versions prior to and including 1.1.36.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2020-10608.
The severity rating of CVE-2020-10608 is 7.8 (high).
The affected products and versions are: Osisoft Pi Api 1.6.8.26, Osisoft Pi Api 2.0.2.5 (with Windows Integrated Security), Osisoft Pi Buffer Subsystem 4.8.0.18, Osisoft Pi Connector 1.0.0.54 (Ping), Osisoft Pi Connector 1.1.0.10 (Ethernet/IP), Osisoft Pi Connector 1.2.0.6 (BACnet), Osisoft Pi Connector 1.2.0.42 (DC Systems RTSCADA), Osisoft Pi Connector 1.2.1.71 (Siemens SIMATIC PCS 7), Osisoft Pi Connector 1.2.2.79 (IEC 60870-5-104), Osisoft Pi Connector 1.3.0.1 (HART-IP), Osisoft Pi Connector 1.3.0.130 (OPC-UA), Osisoft Pi Connector 1.3.1.135 (UFL), Osisoft Pi Connector 1.4.0.17 (CygNet), Osisoft Pi Connector 1.5.0.88 (Wonderware Historian), Osisoft Pi Connector Relay 2.5.19.0, OSIsoft PI Data Archive 3.4.430.460, Osisoft Pi Data Collection Manager 2.5.19.0, Osisoft Pi Integrator 2.2.0.183 (Business Analytics), Osisoft Pi Interface Configuration Utility 1.5.0.7, Osisoft Pi To Ocs 1.1.36.0.
A local attacker can plant a binary and bypass a code integrity check to escalate privileges and gain unauthorized information access.
Yes, a fix is available for CVE-2020-10608. Please refer to the official reference for more information.