OSIsoft PI OPC DA Interface contains an overflow condition that is triggered as user-supplied input is not properly validated when parsing OPC input messages. With a specially crafted request, a remote attacker can cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.

Upgrade to version 2.3.20.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• CVE ID: 2012-3008 (see also: NVD)
• Secunia Advisory ID: 49986
• Vendor Specific Advisory URL: http://techsupport.osisoft.com/Bulletins/5/176272ce-0f1b-450f-8aa8-780d8524b26d.htm
  https://rockwellautomation.custhelp.com/app/answers/detail/a_id/514189 [ Auth Req'd ]
• Other Advisory URL: http://www.digitalbond.com/2012/07/21/major-ics-vulnerability-dropped-late-friday/#more-11534
  http://www.us-cert.gov/control_systems/pdf/ICSA-12-201-01.pdf
• Vendor URL: http://www.osisoft.com/software-support/products/additional_detail/PI_OPC_Clients.aspx
• Vendor Specific Solution URL: https://rockwellautomation.custhelp.com/app/answers/detail/a_id/509721 [ Auth Req'd ]

• Not Available
• Not Available