Vulnerability Note VU#479051
OSIsoft PI Server provides an insecure authentication mechanism
OSIsoft PI Server provides an insecure authentication mechanism that could allow attackers to read or modify information in databases.
PI Server is a core component of the OSIsoft PI System.
According to a report from C4 Security, OSISoft release notes (login required) for PI Server 3.4.380.36, and OSISoft KB article 5120OSI8, it appears that changes were made to PI Server to better resist brute force authentication attempts. PI Server 3.4.380.36 deprecates an older authentication mechanism in favor of Microsoft Windows authentication.
According to reports it appears that the old PI Sever integrated authentication security system method was susceptible to brute force authentication attempts. A successful attempt will allow an attacker to gain access to the PI Server databases.
OSIsoft recommends upgrading to PI Server version 3.4.380.36.
According to the PI Server 3.4.380.36 release notes the following procedures to mitigate the vulnerability:
Use IPSec between the PI Server and the different client computers
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|OSIsoft||Affected||12 Sep 2008||12 Nov 2010|
CVSS Metrics (Learn More)
Thanks to Eyal Udassin at C4 Security for reporting this vulnerability.
This document was written by Michael Orlando.
- CVE IDs: CVE-2009-0209
- Date Public: 30 Sep 2009
- Date First Published: 19 Nov 2010
- Date Last Updated: 19 Nov 2010
- Severity Metric: 11.76
- Document Revision: 37
If you have feedback, comments, or additional information about this vulnerability, please send us email.