Sign-up

ID

VAR-201708-1390


CVE

CVE-2017-7930


TITLE

OSIsoft PI Server Authentication Bypass Vulnerability

Trust: 0.8

sources: IVD: b62dbca6-8c59-468d-99f3-000e688d6797 // CNVD: CNVD-2017-16357

DESCRIPTION

An Improper Authentication issue was discovered in OSIsoft PI Server 2017 PI Data Archive versions prior to 2017. PI Data Archive has protocol flaws with the potential to expose change records in the clear and allow a malicious party to spoof a server within a collective. The OSIsoft PI System is a suite of data acquisition, analysis, and visualization software. PI Server is the core product of PI System. The OSIsoft PI Server has a certification bypass vulnerability. An attacker could exploit the vulnerability to bypass the authentication mechanism and perform unauthorized operations. This may aid in further attacks

Trust: 2.61

sources: NVD: CVE-2017-7930 // JVNDB: JVNDB-2017-007336 // CNVD: CNVD-2017-16357 // BID: 99059 // IVD: b62dbca6-8c59-468d-99f3-000e688d6797

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: b62dbca6-8c59-468d-99f3-000e688d6797 // CNVD: CNVD-2017-16357

AFFECTED PRODUCTS

vendor:osisoftmodel:pi data archivescope:lteversion:3.4.410.1256

Trust: 1.0

vendor:osisoftmodel:pi data archivescope:ltversion:2017

Trust: 0.8

vendor:osisoftmodel:pi data archivescope:lteversion:<=2017

Trust: 0.6

vendor:osisoftmodel:pi data archivescope:eqversion:3.4.410.1256

Trust: 0.6

vendor:osisoftmodel:pi serverscope:eqversion:20170

Trust: 0.3

vendor:osisoftmodel:pi data archivescope:eqversion:20163.4.400.1162

Trust: 0.3

vendor:osisoftmodel:pi data archivescope:eqversion:20153.4.395.64

Trust: 0.3

vendor:osisoftmodel:pi data archivescope:eqversion:20120

Trust: 0.3

vendor:osisoftmodel:pi data archivescope:neversion:2017

Trust: 0.3

vendor:pi data archivemodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: b62dbca6-8c59-468d-99f3-000e688d6797 // CNVD: CNVD-2017-16357 // BID: 99059 // JVNDB: JVNDB-2017-007336 // CNNVD: CNNVD-201704-930 // NVD: CVE-2017-7930

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-7930
value: HIGH

Trust: 1.0

NVD: CVE-2017-7930
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-16357
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201704-930
value: HIGH

Trust: 0.6

IVD: b62dbca6-8c59-468d-99f3-000e688d6797
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2017-7930
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-16357
severity: MEDIUM
baseScore: 5.4
vectorString: AV:N/AC:H/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: b62dbca6-8c59-468d-99f3-000e688d6797
severity: MEDIUM
baseScore: 5.4
vectorString: AV:N/AC:H/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-7930
baseSeverity: HIGH
baseScore: 7.4
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 5.2
version: 3.0

Trust: 1.8

sources: IVD: b62dbca6-8c59-468d-99f3-000e688d6797 // CNVD: CNVD-2017-16357 // JVNDB: JVNDB-2017-007336 // CNNVD: CNNVD-201704-930 // NVD: CVE-2017-7930

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.8

sources: JVNDB: JVNDB-2017-007336 // NVD: CVE-2017-7930

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-930

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201704-930

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007336

PATCH
title:AL00315 - OSIsoft releases security updates in PI Server 2017url:https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00315
Trust: 0.8
title:OSIsoft PI Server authentication bypasses the patch for the vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/98749
Trust: 0.6
title:OSIsoft PI Server 2017 PI Data Archive PI Network Manager Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99745
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-16357 // 
            
            
            
            JVNDB: JVNDB-2017-007336 // 
            
            
            
            CNNVD: CNNVD-201704-930

EXTERNAL IDS
db:NVDid:CVE-2017-7930
Trust: 3.5
db:ICS CERTid:ICSA-17-164-02
Trust: 2.7
db:BIDid:99059
Trust: 2.5
db:CNVDid:CNVD-2017-16357
Trust: 0.8
db:CNNVDid:CNNVD-201704-930
Trust: 0.8
db:JVNDBid:JVNDB-2017-007336
Trust: 0.8
db:IVDid:B62DBCA6-8C59-468D-99F3-000E688D6797
Trust: 0.2
sources:
            
            
            IVD: b62dbca6-8c59-468d-99f3-000e688d6797 // 
            
            
            
            CNVD: CNVD-2017-16357 // 
            
            
            
            BID: 99059 // 
            
            
            
            JVNDB: JVNDB-2017-007336 // 
            
            
            
            CNNVD: CNNVD-201704-930 // 
            
            
            
            NVD: CVE-2017-7930

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-164-02
Trust: 2.7
url:http://www.securityfocus.com/bid/99059
Trust: 2.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7930
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-7930
Trust: 0.8
url:https://techsupport.osisoft.com
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-16357 // 
            
            
            
            BID: 99059 // 
            
            
            
            JVNDB: JVNDB-2017-007336 // 
            
            
            
            CNNVD: CNNVD-201704-930 // 
            
            
            
            NVD: CVE-2017-7930

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 99059

SOURCES
db:IVDid:b62dbca6-8c59-468d-99f3-000e688d6797
db:CNVDid:CNVD-2017-16357
db:BIDid:99059
db:JVNDBid:JVNDB-2017-007336
db:CNNVDid:CNNVD-201704-930
db:NVDid:CVE-2017-7930

LAST UPDATE DATE
2024-11-23T21:53:49.116000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-16357date:2017-07-25T00:00:00
db:BIDid:99059date:2017-06-13T00:00:00
db:JVNDBid:JVNDB-2017-007336date:2017-09-19T00:00:00
db:CNNVDid:CNNVD-201704-930date:2019-10-17T00:00:00
db:NVDid:CVE-2017-7930date:2024-11-21T03:32:59.340

SOURCES RELEASE DATE
db:IVDid:b62dbca6-8c59-468d-99f3-000e688d6797date:2017-07-25T00:00:00
db:CNVDid:CNVD-2017-16357date:2017-07-25T00:00:00
db:BIDid:99059date:2017-06-13T00:00:00
db:JVNDBid:JVNDB-2017-007336date:2017-09-19T00:00:00
db:CNNVDid:CNNVD-201704-930date:2017-04-20T00:00:00
db:NVDid:CVE-2017-7930date:2017-08-25T19:29:00.333