CVE-2021-43553 : Security Advisory and Response
Learn about CVE-2021-43553 affecting OSIsoft PI Vision. Discover the impact, affected versions, and mitigation steps to secure your systems from unauthorized information disclosure.
PI Vision, a product by OSIsoft, is vulnerable to disclosing information to unauthorized users due to a misconfiguration. This CVE affects all versions of PI Vision up to 2021.
Understanding CVE-2021-43553
What is CVE-2021-43553?
PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property.
The Impact of CVE-2021-43553
The impact of this CVE is low, with a CVSS base score of 3.1. It can result in unauthorized access to sensitive information within PI Vision.
Technical Details of CVE-2021-43553
Vulnerability Description
The vulnerability lies in the misconfiguration that allows unauthorized users to access information in specific AF attributes.
Affected Systems and Versions
- Product: PI Vision
- Vendor: OSIsoft
- Versions affected: All versions up to 2021
Exploitation Mechanism
- Attack Complexity: High
- Attack Vector: Network
- Privileges Required: Low
- User Interaction: None
Mitigation and Prevention
Immediate Steps to Take
- Upgrade to PI Vision 2021 to mitigate the vulnerability.
- Configure Publisher and Explorer roles in PI Vision User Access Levels to restrict unauthorized access.
- Remove Limits properties from AF child attributes using PI System Explorer.
Long-Term Security Practices
- Use modern web browsers like Microsoft Edge, Google Chrome, or Mozilla Firefox.
- Regularly audit the AF hierarchy to detect unexpected elements or attributes.
- Enforce security settings on elements in AF and configure PI point security.
Patching and Updates
- Stay informed through OSIsoft's security bulletins for patches and security updates.