Patches for CENTUM CS 3000 Holes

Wednesday, May 14, 2014 @ 08:05 AM gHale


Yokogawa created patches to mitigate buffer overflow vulnerabilities in the CENTUM CS 3000 which reported holes earlier this year.

Juan Vazquez of Rapid7 Inc. and independent researcher Julian Vilas Diaz identified several buffer overflow vulnerabilities and released proof-of-concept (exploit) code for the Yokogawa CENTUM CS 3000 application. CERT/CC, ICS-CERT, and JPCERT coordinated with Rapid7 and Yokogawa to mitigate these remotely exploitable vulnerabilities.

RELATED STORIES
Yokogawa Patches Multiple Holes
Digi Mitigates Heartbleed Hole
ABB Working Toward Heartbleed Patch
Ecava Info Disclosure Vulnerability

CENTUM CS 3000 R3.09.50 and earlier suffer from the issue.

Successful exploitation of these vulnerabilities could allow an attacker to perform a denial of service (DoS) or even potentially get system privileges to execute arbitrary code.

Yokogawa is a Japan-based company that maintains offices in several countries around the world, including North and Central America, South America, Europe, Middle East, Africa, South Asia, and East Asia.

The affected product, CENTUM CS 3000, is a Windows-based control system. According to Yokogawa, this series sees use across several sectors including critical manufacturing, energy, and food and agriculture. Yokogawa estimates there are 7,600 systems worldwide.

Heap-based buffer overflow: CENTUM’s BKCLogSvr.exe service, started automatically with the system, listens by default on Port 52302/UDP. By sending a specially crafted sequence of packets to Port 52302/UDP, it is possible to trigger a heap-based buffer overflow after a usage of uninitialized data, which allows an attacker to DoS the BKCLogSvr.exe and could allow execution of arbitrary code with system privileges.

CVE-2014-0781 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

Stack-based buffer overflow: CENTUM’s BKHOdeq.exe service, which started when running the FCS/Test Function, listens by default on Ports 20109/TCP and 20171/TCP. By sending a specially crafted packet to Port 20171/TCP, it is possible to trigger a stack-based buffer overflow, which allows execution of arbitrary code with the privileges of the CENTUM user.

CVE-2014-0783 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.0.

Stack-based buffer overflow: CENTUM’s BKBCopyD.exe service, which starts when running the FCS /Test Function, listens by default on Port 20111/TCP. By sending a specially crafted packet to Port 20111/TCP, it is possible to trigger a stack-based buffer overflow, which allows execution of arbitrary code with the privileges of the CENTUM user.

CVE-2014-0784 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.

Stack-based buffer overflow: CENTUM’s BKESimmgr.exe service, started automatically on the system startup by default which installed Expanded Test Functions Package, listens on Port 34205/TCP. By sending a specially crafted packet to the Port 34205/TCP, it is possible to trigger a stack-based buffer overflow that allows execution of arbitrary code with the privileges of the CENTUM user.

CVE-2014-0782 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.

Exploits that target these vulnerabilities are publicly available and an attacker with a low skill would be able to exploit these vulnerabilities.

Yokogawa has created a patch (CENTUM CS 3000 R3.09.73 and R3.09.75) to mitigate the vulnerabilities. To activate the patch software, the computer needs to reboot. Older versions of the CENTUM CS 3000 will need and update to the latest version of R3.09.50 before installing the patch software.

For more information, please see the advisory Yokogawa published.



Leave a Reply

You must be logged in to post a comment.