Details of VAR-201708-1404

ID

VAR-201708-1404

CVE

CVE-2017-9653

TITLE

OSIsoft PI Integrator Unauthorized Access Vulnerability

Trust: 0.8

sources: IVD: 3c9b8a2f-e383-4f65-a360-5a5a2835fd54 // CNVD: CNVD-2017-22841

DESCRIPTION

An Improper Authorization issue was discovered in OSIsoft PI Integrator for Business Analytics before 2016 R2, PI Integrator for Microsoft Azure before 2016 R2 SP1, and PI Integrator for SAP HANA before 2017. An attacker is able to gain privileged access to the system while unauthorized. OSIsoft PI Integrator is a tool for OSIsoft to provide visual data for external systems. An unauthorized access vulnerability exists in OSIsoft PI Integrator. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or gain elevated privileges and perform unauthorized actions. This may aid in further attacks

Trust: 2.61

sources: NVD: CVE-2017-9653 // JVNDB: JVNDB-2017-007586 // CNVD: CNVD-2017-22841 // BID: 100212 // IVD: 3c9b8a2f-e383-4f65-a360-5a5a2835fd54

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 3c9b8a2f-e383-4f65-a360-5a5a2835fd54 // CNVD: CNVD-2017-22841

AFFECTED PRODUCTS

vendor:	osisoft	model:	pi integrator for microsoft azure	scope:	eq	version:	2016	Trust: 1.6
vendor:	osisoft	model:	pi integrator for sap hana	scope:	eq	version:	2016	Trust: 1.6
vendor:	osisoft	model:	pi integrator for business analystics	scope:	eq	version:	2016	Trust: 1.6
vendor:	osisoft	model:	pi integrator for sap hana	scope:	lt	version:	2017	Trust: 1.4
vendor:	osisoft	model:	pi integrator for business analytics	scope:	lt	version:	2016 r2	Trust: 0.8
vendor:	osisoft	model:	pi integrator for microsoft azure	scope:	lt	version:	2016 r2 sp1	Trust: 0.8
vendor:	osisoft	model:	pi integrator for business analytics r2	scope:	lt	version:	2016	Trust: 0.6
vendor:	osisoft	model:	pi integrator for microsoft azure r2 sp1	scope:	lt	version:	2016	Trust: 0.6
vendor:	osisoft	model:	pi integrator for sap hana	scope:	eq	version:	20160	Trust: 0.3
vendor:	osisoft	model:	pi integrator for microsoft azure	scope:	eq	version:	20160	Trust: 0.3
vendor:	osisoft	model:	pi integrator for business analytics and sap hana sql utility	scope:	eq	version:	2016	Trust: 0.3
vendor:	osisoft	model:	pi integrator for business analytics 2016-business intelligence	scope:	eq	version:	0	Trust: 0.3
vendor:	osisoft	model:	pi integrator for business analytics data warehouse	scope:	eq	version:	2016-0	Trust: 0.3
vendor:	pi integrator for business analystics	model:	-	scope:	eq	version:	2016	Trust: 0.2
vendor:	pi integrator for microsoft azure	model:	-	scope:	eq	version:	2016	Trust: 0.2
vendor:	pi integrator for sap hana	model:	-	scope:	eq	version:	2016	Trust: 0.2

sources: IVD: 3c9b8a2f-e383-4f65-a360-5a5a2835fd54 // CNVD: CNVD-2017-22841 // BID: 100212 // JVNDB: JVNDB-2017-007586 // CNNVD: CNNVD-201706-584 // NVD: CVE-2017-9653

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-9653
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2017-9653
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2017-22841
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201706-584
value:	CRITICAL
Trust: 0.6
IVD:	3c9b8a2f-e383-4f65-a360-5a5a2835fd54
value:	CRITICAL
Trust: 0.2

nvd@nist.gov:	CVE-2017-9653
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-22841
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	3c9b8a2f-e383-4f65-a360-5a5a2835fd54
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2017-9653
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: 3c9b8a2f-e383-4f65-a360-5a5a2835fd54 // CNVD: CNVD-2017-22841 // JVNDB: JVNDB-2017-007586 // CNNVD: CNNVD-201706-584 // NVD: CVE-2017-9653

PROBLEMTYPE DATA

problemtype:	CWE-863	Trust: 1.0
problemtype:	CWE-285	Trust: 0.8

sources: JVNDB: JVNDB-2017-007586 // NVD: CVE-2017-9653

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-584

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201706-584

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-007586

PATCH

title:	AL00324 - Security updates for PI Integrator For Business Analytics 2016, PI Integrator for Microsoft Azure 2016, and PI Integrator for SAP HANA 2016	url:	https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00324	Trust: 0.8
title:	OSIsoft PI Integrator does not authorize access to the vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/100822	Trust: 0.6
title:	OSIsoft PI Integrator Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99850	Trust: 0.6

sources: CNVD: CNVD-2017-22841 // JVNDB: JVNDB-2017-007586 // CNNVD: CNNVD-201706-584

EXTERNAL IDS

db:	NVD	id:	CVE-2017-9653	Trust: 3.5
db:	ICS CERT	id:	ICSA-17-220-01	Trust: 3.3
db:	BID	id:	100212	Trust: 2.5
db:	CNVD	id:	CNVD-2017-22841	Trust: 0.8
db:	CNNVD	id:	CNNVD-201706-584	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-007586	Trust: 0.8
db:	IVD	id:	3C9B8A2F-E383-4F65-A360-5A5A2835FD54	Trust: 0.2

sources: IVD: 3c9b8a2f-e383-4f65-a360-5a5a2835fd54 // CNVD: CNVD-2017-22841 // BID: 100212 // JVNDB: JVNDB-2017-007586 // CNNVD: CNNVD-201706-584 // NVD: CVE-2017-9653

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-220-01	Trust: 3.3
url:	https://techsupport.osisoft.com/troubleshooting/alerts/al00324	Trust: 1.9
url:	http://www.securityfocus.com/bid/100212	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9653	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9653	Trust: 0.8
url:	https://techsupport.osisoft.com/products/pi-integrators/	Trust: 0.3

sources: CNVD: CNVD-2017-22841 // BID: 100212 // JVNDB: JVNDB-2017-007586 // CNNVD: CNNVD-201706-584 // NVD: CVE-2017-9653

CREDITS

OSIsoft

Trust: 0.3

sources: BID: 100212

SOURCES

db:	IVD	id:	3c9b8a2f-e383-4f65-a360-5a5a2835fd54
db:	CNVD	id:	CNVD-2017-22841
db:	BID	id:	100212
db:	JVNDB	id:	JVNDB-2017-007586
db:	CNNVD	id:	CNNVD-201706-584
db:	NVD	id:	CVE-2017-9653

LAST UPDATE DATE

2025-04-20T23:35:47.022000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-22841	date:	2017-08-25T00:00:00
db:	BID	id:	100212	date:	2017-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2017-007586	date:	2017-09-26T00:00:00
db:	CNNVD	id:	CNNVD-201706-584	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-9653	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	3c9b8a2f-e383-4f65-a360-5a5a2835fd54	date:	2017-08-25T00:00:00
db:	CNVD	id:	CNVD-2017-22841	date:	2017-08-25T00:00:00
db:	BID	id:	100212	date:	2017-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2017-007586	date:	2017-09-26T00:00:00
db:	CNNVD	id:	CNNVD-201706-584	date:	2017-06-15T00:00:00
db:	NVD	id:	CVE-2017-9653	date:	2017-08-14T16:29:00.257