CVE-2017-5153 in PI Coresight
Summary
by MITRE
An issue was discovered in OSIsoft PI Coresight 2016 R2 and earlier versions, and PI Web API 2016 R2 when deployed using the PI AF Services 2016 R2 integrated install kit. An information exposure through server log files vulnerability has been identified, which may allow service account passwords to become exposed for the affected services, potentially leading to unauthorized shutdown of the affected PI services as well as potential reuse of domain credentials.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/02/2020
The vulnerability identified as CVE-2017-5153 represents a critical information exposure flaw within OSIsoft PI Coresight 2016 R2 and PI Web API 2016 R2 systems that utilize the PI AF Services 2016 R2 integrated install kit. This security weakness stems from improper handling of sensitive authentication credentials within server log files, creating an avenue for unauthorized access to service account passwords. The flaw specifically affects organizations deploying these particular versions of OSIsoft's industrial automation software solutions, which are commonly used in process control and data acquisition environments where system integrity and security are paramount.
The technical implementation of this vulnerability involves the logging of service account credentials in plain text format within server log files, which are typically accessible to system administrators and potentially to malicious actors with appropriate privileges. This practice violates fundamental security principles outlined in CWE-200, which addresses information exposure vulnerabilities, and CWE-540, which covers the inclusion of sensitive information in log files. The exposure occurs during the installation and operation of the integrated PI AF Services kit, where authentication tokens and password credentials are inadvertently written to log files without proper sanitization or encryption mechanisms. The vulnerability is particularly concerning because it affects the core authentication infrastructure of these industrial control systems, potentially compromising the entire security posture of the deployed environment.
The operational impact of this vulnerability extends beyond simple credential exposure, as it enables potential attackers to gain unauthorized access to critical industrial control services. Once service account passwords are compromised, malicious actors can leverage these credentials to perform unauthorized shutdowns of PI services, disrupting critical industrial processes and potentially causing operational downtime. The reuse of domain credentials presents additional risks as attackers can escalate their privileges within the broader network infrastructure, potentially accessing other systems that share the same authentication domain. This vulnerability aligns with ATT&CK technique T1078 which covers legitimate credentials usage, and T1566 which addresses credential access through various means including information exposure.
Organizations affected by CVE-2017-5153 should immediately implement comprehensive mitigation strategies including immediate log file sanitization procedures, credential rotation for all affected service accounts, and implementation of proper log file access controls. The recommended remediation approach involves upgrading to newer versions of OSIsoft PI Coresight and PI Web API that address this information exposure vulnerability, while also establishing monitoring procedures to detect and prevent future credential exposure incidents. System administrators should conduct thorough audits of existing log files to identify and remove any previously exposed credentials, and implement proper logging practices that ensure sensitive information is not written to accessible log files. Additionally, organizations should consider implementing network segmentation and privilege separation to limit the potential impact of credential compromise, and establish incident response procedures specifically designed to handle information exposure vulnerabilities in industrial control systems. The vulnerability underscores the critical importance of secure configuration management and proper credential handling in industrial automation environments where system availability and security are essential for operational continuity.