Vulnerability in OSIsoft PI System Can Facilitate Attacks on Critical Infrastructure

A stored cross-site scripting (XSS) vulnerability in OSIsoft PI System, a product often present in critical infrastructure facilities, can be exploited for phishing, privilege escalation and other purposes.

OSIsoft PI System is a data management platform that delivers plant monitoring and analysis capabilities. According to the vendor’s website, PI System has been deployed at over 19,000 sites around the world across various industries, including power, oil and gas, manufacturing, and mining.

Researchers at industrial cybersecurity company OTORIO discovered that the PI Web API 2019 component of PI System is affected by a stored XSS vulnerability that allows an attacker with limited privileges on the targeted system to conduct various types of activities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory for this flaw, which is tracked as CVE-2020-12021 and which impacts version and prior. OSIsoft has released a patch for the security hole and it has advised customers to take steps to minimize the risk of attacks.

Dor Yardeni, incident response team leader at OTORIO, told SecurityWeek that in order to exploit this vulnerability an external attacker somehow needs to gain access to PI Server, the data storage and distribution engine that powers PI System. Once they have access to PI Server, the attacker can exploit the stored XSS vulnerability to inject arbitrary JavaScript code into vulnerable fields in PI Server. Alternatively, an attacker could try to convince an insider to inject the code.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Once the malicious code has been injected, the attacker needs to wait for a user with elevated privileges to use the vulnerable PI Web API and pass their cursor over the infected fields, which results in the code getting executed in the victim’s browser. The attacker can inject code that, when executed, displays a phishing page designed to steal the victim’s credentials.

According to Yardeni, the hacker can then use these credentials for a wide range of activities, including to tamper with data that comes from the plant and make engineers or operators believe that everything is operating normally when in fact it’s not (e.g. a boiler’s real temperature could be 100°C and the application will only show 50°C). The attacker can also delete historical plant data, or use the compromised credentials to hack other plant resources that are accessible to the targeted user.

The vulnerability can also be exploited to inject code designed for page keylogging, stealing cookies, redirecting users to other websites, changing data on the infected page, and stealing browsing information (e.g. internal IP, browser version, etc.).

“If the attacker has high credentials he or she doesn’t need to exploit the vulnerability. They can get access to the production floor with the high credentials alone,” Yardeni explained. “But if the attacker obtained only weak credentials, with ‘write’ permissions, he/she would be able to exploit the vulnerability to obtain higher credentials and then have access to the entire production environment.”

OTORIO has released a video showing how an attacker could exploit this vulnerability for phishing:

Related: Hackers Can Target Rockwell Industrial Software With Malicious EDS Files

Related: OSIsoft Warns Employees, Contractors of Data Breach

view counter

RSS Icon
picture 106

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:
tag iconTags:

Source link

Recent articles

Manage containers in namespaces by using nsenter

With containers becoming the de facto application deployment standard, we all must understand how to guarantee security, isolation, and resource restrictions. Linux namespaces...

Over 500,000 businesses got PPP loans but are listed as retaining zero jobs, Treasury Department data show

The Paycheck Protection Program was designed to help small business weather the coronavirus pandemic while keeping their workers employed.But government data suggests that...

El Al to slash workforce as part of rescue package agreements | News

Israeli flag-carrier El Al is set to shed 1,700 positions across three divisions as part of a restructuring programme. The airline says it has...

COVID-19 Cybercrime Capitalizing on Brazil’s Government Assistance Program

IBM X-Force Incident Response and Intelligence Services (IRIS) has been tracking cybercrime capitalizing on the coronavirus pandemic since January, and has observed the...

Colin Jost Knows What He Has: ‘A Very Punchable Face’

Though Colin Jost has worked at “Saturday Night Live” for nearly 15 years, it wasn’t until this past spring that he was able...

JK Rowling criticizes ‘cancel culture’ in Harper magazine open letter

"Harry Potter" author J.K. RowlingRob Stothard | Getty ImagesJ.K. Rowling has joined 150 authors and academics in denouncing the so-called "cancel culture," which...

Leave a reply

Please enter your comment!
Please enter your name here