Yokogawa Fixes Buffer Overflow

Tuesday, July 8, 2014 @ 06:07 PM gHale


Yokogawa patched a remotely exploitable buffer overflow vulnerability in its CENTUM products, according to a report on ICS-CERT.

The vulnerability, discovered by Rapid7, affects the following products:
• CENTUM CS 1000 all revisions
• CENTUM CS 3000 R3.09.50 or earlier
• CENTUM CS 3000 Entry Class R3.09.50 or earlier
• CENTUM VP R5.03.20 or earlier
• CENTUM VP Entry Class R5.03.20 or earlier
• Exaopc R3.72.00 or earlier
• B/M9000CS R5.05.01 or earlier
• B/M9000 VP R7.03.01 or earlier

Successful exploitation of this vulnerability may allow remote attackers to execute arbitrary code.

RELATED STORIES
Malware Analysis from ICS-CERT
Highway Sign Fix: Change Default Password
SCADA Hack Uncovered
Security Provider Hacked

Yokogawa is a company based in Japan that maintains offices on several continents, including North and Central America, South America, Europe, Middle East, Africa, and parts of Asia.

CENTUM VP is an integrated production control system. Exaopc is an OPC server for data access, alarms and events, historical data access, batch information, and a security interface for CENTUM series process control systems. B/M9000CS and B/M9000 VP are quality control systems for use in the pulp and paper industry.

These products see action across several sectors worldwide including critical manufacturing, energy, food and agriculture.

The “BKFSim_vhfd.exe” service, started when running the “FCS/Test Function” for extended virtual testing, listens by default on Port 20010 (TCP and UDP). By sending a specially crafted packet to the Port 20010/UDP, it’s possible to trigger a stack-based buffer overflow, which allows execution of arbitrary code with the privileges of the CENTUM user.

CVE-2014-3888 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.

No known public exploits specifically target this vulnerability. However, an attacker with a moderate skill would be able to exploit this vulnerability.

Yokogawa provides patch software for the latest revisions of the affected products, which corrects the issue. The computer must reboot to activate the patch software. If the system uses earlier versions of the software than the ones for which there are software patches, Yokogawa recommends users upgrade to the latest revisions/versions and then apply the software patches.

For details about individual countermeasures by the affected product, please refer to “YSAR-14-0002E: Buffer Overflow Vulnerability in CENTUM systems and Exaopc” on the Yokogawa Security Advisory Report website.

For questions related to this vulnerability or how to obtain the patch software, contact Yokogawa service department.



Leave a Reply

You must be logged in to post a comment.