CVE-2016-8365

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

El software OSIsoft PI System, en aplicaciones que emplean PI Asset Framework (AF) Client en versiones anteriores a PI AF Client 2016 2.8.0; aplicaciones que emplean PI Software Development Kit (SDK) en versiones anteriores a PI SDK 2016 1.4.6; PI Buffer Subsystem, en versiones anteriores a (e incluyendo) 4.4; y PI Data Archive en versiones anteriores a PI Data Archive 2015 3.4.395.64, opera entre endpoints sin un modelo completo de características de endpoint. Esto podría provocar que el producto realice acciones basado en este modelo incompleto, desembocando en una denegación de servicio. OSIsoft informa que, para explotar esta vulnerabilidad, un atacante necesitaría estar conectado localmente a un servidor. Se ha calculado una puntuación CVSS v3 base de 7.1; la cadena de vector CVSS es (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-09-28 CVE Reserved
2018-04-03 CVE Published
2023-03-28 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-284: Improper Access Control
CWE-437: Incomplete Model of Endpoint Features

CAPEC

References (3)

URL	Tag	Source
http://www.securityfocus.com/bid/94165	Third Party Advisory
https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308	2019-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Osisoft Search vendor "Osisoft"		Pi Af Client Search vendor "Osisoft" for product "Pi Af Client"				< 2.8.0 Search vendor "Osisoft" for product "Pi Af Client" and version " < 2.8.0"		-		Affected
Osisoft Search vendor "Osisoft"		Pi Buffer Subsystem Search vendor "Osisoft" for product "Pi Buffer Subsystem"				< 4.5.0 Search vendor "Osisoft" for product "Pi Buffer Subsystem" and version " < 4.5.0"		-		Affected
Osisoft Search vendor "Osisoft"		Pi Data Archive Search vendor "Osisoft" for product "Pi Data Archive"				< 3.4.400.1162 Search vendor "Osisoft" for product "Pi Data Archive" and version " < 3.4.400.1162"		2016		Affected
Osisoft Search vendor "Osisoft"		Pi Sdk Search vendor "Osisoft" for product "Pi Sdk"				< 1.4.6 Search vendor "Osisoft" for product "Pi Sdk" and version " < 1.4.6"		2016		Affected