OSIsoft PI Server provides an insecure authentication mechanism

2010-11-19T00:00:00
ID VU:479051
Type cert
Reporter CERT
Modified 2010-11-19T18:16:00

Description

Overview

OSIsoft PI Server provides an insecure authentication mechanism that could allow attackers to read or modify information in databases.

Description

PI Server is a core component of the OSIsoft PI System.

According to a report from C4 Security, OSISoft release notes (login required) for PI Server 3.4.380.36, and OSISoft KB article 5120OSI8, it appears that changes were made to PI Server to better resist brute force authentication attempts. PI Server 3.4.380.36 deprecates an older authentication mechanism in favor of Microsoft Windows authentication.

Windows authentication provides security features such as: logging failed login attempts, enforcing minimum password lengths, and enforcing password time-outs.


Impact

According to reports it appears that the old PI Sever integrated authentication security system method was susceptible to brute force authentication attempts. A successful attempt will allow an attacker to gain access to the PI Server databases.


Solution

OSIsoft recommends upgrading to PI Server version 3.4.380.36.


According to the PI Server 3.4.380.36 release notes the following procedures to mitigate the vulnerability:

Enable the PI Server for Windows authentication and configure PI Trust records
Use IPSec between the PI Server and the different client computers


Vendor Information

479051

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

OSIsoft __ Affected

Notified: September 12, 2008 Updated: November 12, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

OSIsoft recommends upgrading to PI Server version 3.4.380.36. Please see the release notes (login required) for PI Server 3.4.380.36 and OSISoft KB article 5120OSI8.

Vendor References

  • <http://techsupport.osisoft.com/(loginrequired)>
  • <http://techsupport.osisoft.com/Knowledge%20Center/Knowledge%20Center.htm(loginrequired)>

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

  • <http://www.securityfocus.com/archive/1/archive/1/506826/100/0/threaded>
  • <http://techsupport.osisoft.com/>
  • <http://techsupport.osisoft.com/Knowledge%20Center/Knowledge%20Center.htm>

Acknowledgements

Thanks to Eyal Udassin at C4 Security for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: | CVE-2009-0209
---|---
Severity Metric: | 11.76
Date Public: | 2009-09-30
Date First Published: | 2010-11-19
Date Last Updated: | 2010-11-19 18:16 UTC
Document Revision: | 37