If you’re using The Foundry’s Magritte plugin and its osisoft-pi-web-connector integration, and your version is between .15. and .43., your system may be leaking sensitive authentication information via log files. This vulnerability, CVE-2022-27893, makes it easy for attackers or even curious insiders to recover usernames and passwords from simple log access. The bug has been fixed in version .44.. In this article, we’ll walk you through what happened, show you some code, and explain how attackers might exploit this issue. As always, patch as soon as you can.
> Official Advisory:
> The Foundry Security Advisories
> NVD CVE Entry
What Is The Foundry Magritte Plugin?
The Foundry is well-known in the visual effects (VFX) and media industries for its pipeline tools. The Magritte plugin is an integration layer, allowing connections to lots of data sources. The osisoft-pi-web-connector brings in process data from PI servers. It's especially handy if you’re mixing VFX with real-world data.
What Is CVE-2022-27893?
CVE-2022-27893 is a flaw where the Magritte plugin’s osisoft-pi-web-connector (from version .15. up to .43.) logs sensitive authentication requests into local files. These logs unintentionally capture authentication payloads, sometimes in plaintext — including passwords and API keys. The logging is verbose and not scrubbed for secrets.
Simply Put
If you set up the connector for a user to access an OSIsoft PI server, anyone with access to the plugin’s logs could find user credentials there.
Here’s what a compromised log file could look like (username and password in request)
2022-07-14 15:23:01,456 [INFO] Sending authentication request: POST /piwebapi/auth
Payload: {'username':'operator1', 'password':'Pa55wrd!'}
Or, in raw file form
[2022-07-14T15:23:01Z] [POST] to /piwebapi/auth with body: user=operator1&pass=Pa55wrd!
If these logs are not protected, any local or remote attacker (w/ log access) can grab credentials and later connect to the real PI server — sometimes with admin privileges.
The Issue: Poor Logging Practices
The actual bug comes from the logging statement in code. Here’s a simple example of what went wrong:
# Vulnerable example from osisoft-pi-web-connector < .44.
def authenticate(user, password):
logger.info(f"Sending authentication request: user={user}, password={password}")
# ... actual request sent here
Best practices say you should never log sensitive info. Fixed versions will log only user IDs, or anonymized payloads:
# Safe code in osisoft-pi-web-connector >= .44.
def authenticate(user, password):
logger.info(f"Sending authentication request for user: {user}")
# ... actual request sent here
Credentials are entered during setup, or for scheduled refresh.
3. Plugin logs the entire authentication request including the password in plaintext to its logfile.
4. Attacker or malicious insider reads the log file (usually on the same server or wherever logs are stored).
5. Attacker uses harvested credentials to access data, pivot deeper into systems, or escalate privileges.
Code Example: How Logs Get Grabbed
Suppose the log file is writable by a user “render”, and it’s stored as /var/log/magritte/piweb.log:
# One-liner to dump all password attempts from logs
grep -Eo "password[^']*'[^']+'" /var/log/magritte/piweb.log
# Or, find out all PI usernames used:
grep -Eo "user[^']*'[^']+'" /var/log/magritte/piweb.log
How to Fix
Upgrade the connector to .44. or later.
The fix ensures passwords never hit the log file.
Reference:
Release Notes osisoft-pi-web-connector
If you can’t upgrade immediately
- Restrict log file access (chmod/chown)
Links & References
- NVD Entry for CVE-2022-27893
- The Foundry Security Advisory
- GitHub Release v.44.
- OSIsoft PI Web API Overview
Timeline
Published on: 11/04/2022 16:15:00 UTC
Last modified on: 11/14/2022 15:23:00 UTC