Background ----------------- Vendor product information, from www.osisoft.com : The PI SystemT brings all operational data into a single system that can deliver it to users at all levels of the company - from the plant floor to the enterprise level. The PI System keeps business-critical data always online and available in a specialized time-series database by: . Gathering event-driven data, in real-time, from multiple sources across the plant and/or enterprise . Applying advanced analytical calculations and business rules to Contextualize and Analyze this data . Configuring smart and thin client tools to distribute and visualize knowledge/ information to display critical operational metrics and integrate the user experience across different roles within the enterprise. Description ---------------- Due to the sensitivity of SCADA-related vulnerabilities, we can only publicly disclose that PI Server suffers from an encryption weakness in the default authentication process. Details of this vulnerability will be disclosed only to legitimate parties such as asset owners (utilities), after receiving the approval of the local CERT or any other local official entity. Impact ---------- An attacker can gain access to the PI Server databases, allowing him to: 1. Gain access to confidential operational information 2. Data tampering - permanent data loss or presentation of misleading decision support data 3. Attempt to find additional vulnerabilities in the server to carry out the "corporate network to control center" attack vector mentioned in C4's S4 2008 paper "Control System Attack Vectors and Examples: Field Site and Corporate Network" (http://www.c4-security.com/index-5.html). Affected Versions ------------------------- PI Server - All versions Workaround/Fix ----------------------- According to the vendor, as of PI version 3.4.380.x the vulnerable authentication mechanism is deprecated, therefore no fix is planned for release for this vulnerability. The vendor recommends the following procedures to mitigate the vulnerability: . Enable the PI Server for Windows authentication and configure PI Trust records . Use IPSec between the PI Server and the different client computers Additional Information ------------------------------- For additional information please contact us at info_at_c4-security.com. Note that we will respond only to verified utility personnel and governmental agencies. Details of this vulnerability will be disclosed only to legitimate parties such as asset owners (utilities), after receiving the approval of the local CERT or any other local official entity. The CVE identifier assigned to this vulnerability by CERT is CVE-2009-209. Credit -------- This vulnerability was discovered and exploited by Eyal Udassin, Jonathan Afek and Yaron Budowsky from C4 Security (http://www.c4-security.com). C4 Security is a leader in SCADA security reviews, auditing and penetration testing. Regards, Eyal Udassin - C4 33 Jabutinsky St., The Twin Towers #1, Ramat Gan, Israel eyal.udassin (at) c4-security (dot) com [email concealed] / www.c4-security.com +972-3-6134703