Sign-up

ID

VAR-201708-1392


CVE

CVE-2017-7934


TITLE

OSIsoft PI Server 2017 PI Data Archive Authentication vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-007337

DESCRIPTION

An Improper Authentication issue was discovered in OSIsoft PI Server 2017 PI Data Archive versions prior to 2017. PI Network Manager using older protocol versions contains a flaw that could allow a malicious user to authenticate with a server and then cause PI Network Manager to behave in an undefined manner. The OSIsoft PI System is a suite of data acquisition, analysis, and visualization software. PI Server is the core product of PI System. The OSIsoft PI Server has a certification bypass vulnerability. An attacker could exploit the vulnerability to bypass the authentication mechanism and perform unauthorized operations. This may aid in further attacks

Trust: 2.61

sources: NVD: CVE-2017-7934 // JVNDB: JVNDB-2017-007337 // CNVD: CNVD-2017-16358 // BID: 99059 // IVD: 10cf70ca-8bf0-47ed-be97-f716cdfea1b0

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 10cf70ca-8bf0-47ed-be97-f716cdfea1b0 // CNVD: CNVD-2017-16358

AFFECTED PRODUCTS

vendor:osisoftmodel:pi data archivescope:lteversion:3.4.410.1256

Trust: 1.0

vendor:osisoftmodel:pi data archivescope:ltversion:2017

Trust: 0.8

vendor:osisoftmodel:pi data archivescope:lteversion:<=2017

Trust: 0.6

vendor:osisoftmodel:pi data archivescope:eqversion:3.4.410.1256

Trust: 0.6

vendor:osisoftmodel:pi serverscope:eqversion:20170

Trust: 0.3

vendor:osisoftmodel:pi data archivescope:eqversion:20163.4.400.1162

Trust: 0.3

vendor:osisoftmodel:pi data archivescope:eqversion:20153.4.395.64

Trust: 0.3

vendor:osisoftmodel:pi data archivescope:eqversion:20120

Trust: 0.3

vendor:osisoftmodel:pi data archivescope:neversion:2017

Trust: 0.3

vendor:pi data archivemodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 10cf70ca-8bf0-47ed-be97-f716cdfea1b0 // CNVD: CNVD-2017-16358 // BID: 99059 // JVNDB: JVNDB-2017-007337 // CNNVD: CNNVD-201704-926 // NVD: CVE-2017-7934

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-7934
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-7934
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-16358
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201704-926
value: MEDIUM

Trust: 0.6

IVD: 10cf70ca-8bf0-47ed-be97-f716cdfea1b0
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2017-7934
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-16358
severity: MEDIUM
baseScore: 5.4
vectorString: AV:N/AC:H/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 10cf70ca-8bf0-47ed-be97-f716cdfea1b0
severity: MEDIUM
baseScore: 5.4
vectorString: AV:N/AC:H/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-7934
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: IVD: 10cf70ca-8bf0-47ed-be97-f716cdfea1b0 // CNVD: CNVD-2017-16358 // JVNDB: JVNDB-2017-007337 // CNNVD: CNNVD-201704-926 // NVD: CVE-2017-7934

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.8

sources: JVNDB: JVNDB-2017-007337 // NVD: CVE-2017-7934

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-926

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201704-926

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007337

PATCH
title:AL00315 - OSIsoft releases security updates in PI Server 2017url:https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00315
Trust: 0.8
title:Patch for OSIsoft PI Server Authentication Bypass Vulnerability (CNVD-2017-16358)url:https://www.cnvd.org.cn/patchInfo/show/98750
Trust: 0.6
title:OSIsoft PI Server 2017 PI Data Archive PI Network Manager Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99741
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-16358 // 
            
            
            
            JVNDB: JVNDB-2017-007337 // 
            
            
            
            CNNVD: CNNVD-201704-926

EXTERNAL IDS
db:NVDid:CVE-2017-7934
Trust: 3.5
db:ICS CERTid:ICSA-17-164-02
Trust: 2.7
db:BIDid:99059
Trust: 2.5
db:CNVDid:CNVD-2017-16358
Trust: 0.8
db:CNNVDid:CNNVD-201704-926
Trust: 0.8
db:JVNDBid:JVNDB-2017-007337
Trust: 0.8
db:IVDid:10CF70CA-8BF0-47ED-BE97-F716CDFEA1B0
Trust: 0.2
sources:
            
            
            IVD: 10cf70ca-8bf0-47ed-be97-f716cdfea1b0 // 
            
            
            
            CNVD: CNVD-2017-16358 // 
            
            
            
            BID: 99059 // 
            
            
            
            JVNDB: JVNDB-2017-007337 // 
            
            
            
            CNNVD: CNNVD-201704-926 // 
            
            
            
            NVD: CVE-2017-7934

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-164-02
Trust: 2.7
url:http://www.securityfocus.com/bid/99059
Trust: 2.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7934
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-7934
Trust: 0.8
url:https://techsupport.osisoft.com
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-16358 // 
            
            
            
            BID: 99059 // 
            
            
            
            JVNDB: JVNDB-2017-007337 // 
            
            
            
            CNNVD: CNNVD-201704-926 // 
            
            
            
            NVD: CVE-2017-7934

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 99059

SOURCES
db:IVDid:10cf70ca-8bf0-47ed-be97-f716cdfea1b0
db:CNVDid:CNVD-2017-16358
db:BIDid:99059
db:JVNDBid:JVNDB-2017-007337
db:CNNVDid:CNNVD-201704-926
db:NVDid:CVE-2017-7934

LAST UPDATE DATE
2024-11-23T21:53:49.152000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-16358date:2017-07-25T00:00:00
db:BIDid:99059date:2017-06-13T00:00:00
db:JVNDBid:JVNDB-2017-007337date:2017-09-19T00:00:00
db:CNNVDid:CNNVD-201704-926date:2019-10-17T00:00:00
db:NVDid:CVE-2017-7934date:2024-11-21T03:32:59.847

SOURCES RELEASE DATE
db:IVDid:10cf70ca-8bf0-47ed-be97-f716cdfea1b0date:2017-07-25T00:00:00
db:CNVDid:CNVD-2017-16358date:2017-07-25T00:00:00
db:BIDid:99059date:2017-06-13T00:00:00
db:JVNDBid:JVNDB-2017-007337date:2017-09-19T00:00:00
db:CNNVDid:CNNVD-201704-926date:2017-04-20T00:00:00
db:NVDid:CVE-2017-7934date:2017-08-25T19:29:00.380