CVE-2018-7496

Vulnerability

OSIsoft PI Vision versions 2017 and prior contain an information exposure vulnerability where the server response header and the referrer-policy response header disclose unintended information. This issue is present in the default configuration and does not require any special conditions to be reachable [1].

Exploitation

An attacker with remote network access can exploit this vulnerability by sending HTTP requests to the PI Vision server and observing the response headers. No authentication or user interaction is required, and the attack complexity is low [1].

Impact

Successful exploitation allows an attacker to obtain sensitive information such as server software details and referrer policy settings, which may aid in further attacks against the system. The vulnerability exposes information but does not directly allow code execution or data modification [1].

Mitigation

OSIsoft has released PI Vision 2017 R2 Update 1 to address this vulnerability. Users are advised to upgrade to this version or later. As a general security practice, minimize network exposure of PI Vision systems and ensure they are not accessible from the internet [1].