ICS Advisory: AVEVA PI Server

Summary:

The AVEVA PI Server (Versions 2023 and 2018 SP3 P05 and prior) has been found to have two vulnerabilities that can be exploited remotely with low attack complexity.

Vulnerability Details:

1. Improper Check or Handling of Exceptional Conditions (CVSS v3 base score: 7.5, CVE-2023-34348): Allows an unauthenticated user to remotely crash the PI Message Subsystem, resulting in a denial-of-service condition.
2. Missing Release of Resource after Effective Lifetime (CVSS v3 base score: 5.3, CVE-2023-31274): Allows an unauthenticated user to cause the PI Message Subsystem to consume available memory, resulting in throttled processing of new PI Data Archive events and a partial denial-of-service condition.

Risk and Impact:

Successful exploitation can lead to a denial-of-service condition, which can impact the operations of the affected systems.

Mitigation:

Affected versions can be fixed by upgrading to AVEVA PI Server version 2023 Patch 1 or later (for versions 2023) or AVEVA PI Server version 2018 SP3 Patch 6 or later (for versions 2018 SP3 prior to Patch 5). Additional defensive measures include setting the PI Message Subsystem to auto restart, monitoring memory usage, limiting network access, and confirming authorized access to the PI Server Message Log.

Recommendations:

Organizations are recommended to apply security updates as soon as possible, evaluate the impact of these vulnerabilities based on their operational environment, and take defensive measures to minimize the risk of exploitation. CISA also recommends minimizing network exposure, locating control systems behind firewalls, and using secure remote access methods.