#VU7100 Improper authentication in PI Data Archive - CVE-2017-7934

Cybersecurity Help s.r.o.

Published: 2017-06-15

Vulnerability identifier: #VU7100

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-7934

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PI Data Archive
Client/Desktop applications / Software for archiving

Vendor: OSIsoft

Description
The vulnerability allows a remote attacker to gain access to the system.

The weakness exists due to a flaw in PI Network Manager using older protocol versions. A remote attacker can authenticate with a server and then cause PI Network Manager to behave in an undefined manner.

Successful exploitation results may result in denial of service

Mitigation
Update to version 2017.

Vulnerable software versions

PI Data Archive: 2015 - 2016

External links
https://ics-cert.us-cert.gov/advisories/ICSA-17-164-02

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Two vulnerabilities in OSIsoft PI Data Archive