CVE-2016-8365 - OpenCVE

Vendors	Products
Osisoft	Pi Sdk Pi Data Archive Pi Af Client Pi Buffer Subsystem

Link	Resource
http://www.securityfocus.com/bid/94165	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03	Third Party Advisory US Government Resource
https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308	Vendor Advisory

{"containers": {"cna": {"affected": [{"product": "PI System software", "vendor": "OSIsoft", "versions": [{"status": "affected", "version": "Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0"}, {"status": "affected", "version": "Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6"}, {"status": "affected", "version": "PI Buffer Subsystem, versions prior to and including, Version 4.4"}, {"status": "affected", "version": "PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64."}]}], "datePublic": "2016-10-11T00:00:00", "descriptions": [{"lang": "en", "value": "OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-437", "description": "Incomplete model of enpoint features CWE-437", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-04-04T09:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03"}, {"name": "94165", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94165"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2016-10-11T00:00:00", "ID": "CVE-2016-8365", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PI System software", "version": {"version_data": [{"version_value": "Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0"}, {"version_value": "Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6"}, {"version_value": "PI Buffer Subsystem, versions prior to and including, Version 4.4"}, {"version_value": "PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64."}]}}]}, "vendor_name": "OSIsoft"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Incomplete model of enpoint features CWE-437"}]}]}, "references": {"reference_data": [{"name": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308", "refsource": "CONFIRM", "url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03"}, {"name": "94165", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94165"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2016-8365", "datePublished": "2016-10-11T00:00:00", "dateReserved": "2016-09-28T00:00:00", "dateUpdated": "2018-04-04T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:osisoft:pi_af_client:*:*:*:*:*:*:*:*", "matchCriteriaId": "5EA643EA-A95B-4444-971A-EDB0E533BBFB", "versionEndExcluding": "2.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:osisoft:pi_buffer_subsystem:*:*:*:*:*:*:*:*", "matchCriteriaId": "9036F577-4915-4DF5-A7BA-E79AFE4CCD9C", "versionEndExcluding": "4.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:osisoft:pi_data_archive:*:*:*:*:2016:*:*:*", "matchCriteriaId": "C57078BD-6694-4886-8859-EAC579E2B764", "versionEndExcluding": "3.4.400.1162", "vulnerable": true}, {"criteria": "cpe:2.3:a:osisoft:pi_sdk:*:*:*:*:2016:*:*:*", "matchCriteriaId": "FE61884E-9FC3-4DA7-8FBB-63CA74F7CD86", "versionEndExcluding": "1.4.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)"}, {"lang": "es", "value": "El software OSIsoft PI System, en aplicaciones que emplean PI Asset Framework (AF) Client en versiones anteriores a PI AF Client 2016 2.8.0; aplicaciones que emplean PI Software Development Kit (SDK) en versiones anteriores a PI SDK 2016 1.4.6; PI Buffer Subsystem, en versiones anteriores a (e incluyendo) 4.4; y PI Data Archive en versiones anteriores a PI Data Archive 2015 3.4.395.64, opera entre endpoints sin un modelo completo de caracter\u00edsticas de endpoint. Esto podr\u00eda provocar que el producto realice acciones basado en este modelo incompleto, desembocando en una denegaci\u00f3n de servicio. OSIsoft informa que, para explotar esta vulnerabilidad, un atacante necesitar\u00eda estar conectado localmente a un servidor. Se ha calculado una puntuaci\u00f3n CVSS v3 base de 7.1; la cadena de vector CVSS es (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)."}], "id": "CVE-2016-8365", "lastModified": "2019-10-09T23:19:57.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-04-03T14:29:00.247", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94165"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Vendor Advisory"], "url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-437"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

JSON object

JSON object

JSON object