Yokogawa CENTUM, Exaopc Vulnerability

Thursday, September 18, 2014 @ 02:09 PM gHale

Yokogawa and JPCERT mitigated an authentication vulnerability for the CENTUM CS 3000 series and Exaopc products, according to a report on ICS-CERT.

Tod Beardsley of Rapid7 Inc., and Jim Denaro of CipherLaw, identified the vulnerability and released proof-of-concept (exploit) code for the remotely exploitable issue. Exploits that target this vulnerability are publicly available.

Schneider Eyes Fix for SCADA Holes
Ecava Fixes SCADA Server Holes
Schneider Fixes VAMPSET Buffer Overflow
Sensys Fixes Traffic Sensor Holes

The following Yokogawa CENTUM 3000 versions suffer from the issue:
1. CENTUM series with the Batch Management Packages installed

• CENTUM CS 3000 (R3.09.50 or earlier)
• CENTUM CS 3000 Small (R3.09.50 or earlier)
• CENTUM VP (R4.03.00 or earlier, R5.04.00 or earlier)
• CENTUM VP Small (R4.03.00 or earlier, R5.04.00 or earlier)
• CENTUM VP Basic (R4.03.00 or earlier, R5.04.00 or earlier).

In addition, the following Yokogawa Exaopc version has the problem: Exaopc (R3.72.10 or earlier).

Successful exploitation of this vulnerability could allow an attacker to allow arbitrary files to end up read and written.

Yokogawa is a company based in Japan that maintains offices in several countries around the world, including North and Central America, South America, Europe, the Middle East, Africa, South Asia, and East Asia.

The affected products, CENTUM CS 3000, are Windows-based control systems. These products see use across several sectors, including critical manufacturing, energy, food and agriculture, and others. Yokogawa estimates there are 7,600 systems worldwide.

CENTUM’s BKBCopyD.exe service starts if there is an installation of Batch Management Packages. It listens by default on Port 20111/TCP. There is a no authentication, which makes it possible to abuse several operations provided by the service in order to:
• Leak the CENTUM project database location
• Read arbitrary files
• Write arbitrary files

This vulnerability is different than CVE-2014-0784, which ended up reported in March.

CVE-2014-5208 is the case number assigned to this vulnerability, which Yokogawa scored a CVSS v2 base score of 6.8.

An attacker with a low skill would be able to exploit this vulnerability.

Yokogawa will provide patch software for the latest revisions of the affected products at the end of September 2014. Contact Yokogawa technical support and services for the details on the release date and installation questions.

Yokogawa also suggests all customers introduce appropriate security measures to the overall system, not just for the vulnerability identified.

For more information, please see Yokogawa Security Advisory Report YSAR-14-0003E, published on September 17.

Yokogawa also recommends the following firewall mitigation measures:
• Block external data communications from outside of the control system network on Port 20111/TCP
• Allow internal traffic on Port 20111/TCP only for the CENTUM systems installed with Batch Management Packages
• Block the traffic on Port 20111/TCP to Exaopc installations.

Leave a Reply

You must be logged in to post a comment.