多款Osisoft产品数据伪造问题漏洞
CVE编号
CVE-2020-10608利用情况
暂无补丁情况
N/A披露时间
2020-07-25漏洞描述
OSIsoft Osisoft PI Asset Framework(AF)等都是美国OSIsoft公司的产品。Osisoft PI Asset Framework是一款用于以资产为中心的模型、层次结构、对象和设备的存储库。OSIsoft PI Software Development Kit(SDK)是一款提供访问PI服务器的编程库。OSIsoft PI API(Application Programming Interface)是一款支持在PI Data Archive中读取和写入值的函数库。 多款Osisoft产品中存在数据伪造问题漏洞。本地攻击者可利用该漏洞提升权限并查看、删除或修改未经授权的信息。解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接 |
|
|---|---|
| https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02 |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_api | * | Up to (including) 1.6.8.26 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_api | * | Up to (including) 2.0.2.5 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_buffer_subsystem | * | Up to (including) 4.8.0.18 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_connector | * | Up to (including) 1.0.0.54 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_connector | * | Up to (including) 1.1.0.10 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_connector | * | Up to (including) 1.2.0.42 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_connector | * | Up to (including) 1.2.0.6 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_connector | * | Up to (including) 1.2.1.71 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_connector | * | Up to (including) 1.2.2.79 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_connector | * | Up to (including) 1.3.0.1 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_connector | * | Up to (including) 1.3.0.130 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_connector | * | Up to (including) 1.3.1.135 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_connector | * | Up to (including) 1.4.0.17 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_connector | * | Up to (including) 1.5.0.88 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_connector_relay | * | Up to (including) 2.5.19.0 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_data_archive | * | Up to (including) 3.4.430.460 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_data_collection_manager | * | Up to (including) 2.5.19.0 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_integrator | * | Up to (including) 2.2.0.183 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_interface_configuration_utility | * | Up to (including) 1.5.0.7 | |||||
| 运行在以下环境 | |||||||||
| 应用 | osisoft | pi_to_ocs | * | Up to (including) 1.1.36.0 | |||||
- 攻击路径 本地
- 攻击复杂度 低
- 权限要求 低
- 影响范围 未更改
- 用户交互 无
- 可用性 高
- 保密性 高
- 完整性 高
| CWE-ID | 漏洞类型 |
| CWE-347 | 密码学签名的验证不恰当 |
Exp相关链接
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论