Yokogawa Patches CENTUM CS 3000 Holes

Wednesday, March 12, 2014 @ 04:03 PM gHale


Yokogawa created a patch that mitigates several buffer overflow vulnerabilities in its CENTUM CS 3000 application, according to a report on ICS-CERT.

Juan Vazquez of Rapid7 Inc. and independent researcher Julian Vilas Diaz, who found the flaws and published proof of concept (exploit) code, worked with CERT/CC, NCCIC/ICS-CERT, JPCERT and Yokogawa to mitigate these remotely exploitable vulnerabilities.

RELATED STORIES
Schneider OFS Buffer Overflow
Schneider Fixes Bug, Patches Others
Increase in NTP Reflection Attacks
Siemens Fixes RuggedCom Vulnerability

The CENTUM CS 3000 R3.09.50 and earlier suffer from the vulnerabilities.

Successful exploitation of these vulnerabilities could allow an attacker to perform a denial of service (DoS) or even potentially get system privileges to execute arbitrary code.

Yokogawa is a Japan-based company that maintains offices in several countries around the world, including North and Central America, South America, Europe, Middle East, Africa, South Asia, and East Asia.

The affected products, CENTUM CS 3000, are Windows-based control systems. According to Yokogawa, these products work across several sectors including critical manufacturing, energy, food and agriculture, and others. Yokogawa estimates that there are 7,600 systems worldwide.

CENTUM’s BKCLogSvr.exe service, started automatically with the system, listens by default on Port 52302/UDP. By sending a specially crafted sequence of packets to Port 52302/UDP, it is possible to trigger a heap-based buffer overflow after a usage of uninitialized data, which allows an attacker to DoS the BKCLogSvr.exe and could allow execution of arbitrary code with system privileges.

CVE-2014-0781 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

CENTUM’s BKHOdeq.exe service, which started when running the FCS/Test Function, listens by default on Ports 20109/TCP, 20171/TCP, and 1240/UDP. By sending a specially crafted packet to Port 20171/TCP, it is possible to trigger a stack-based buffer overflow, which allows execution of arbitrary code with the privileges of the CENTUM user.

CVE-2014-0783 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.0.

CENTUM’s BKBCopyD.exe service, which starts when running the FCS /Test Function, listens by default on Port 20111/TCP. By sending a specially crafted packet to Port 20111/TCP, it is possible to trigger a stack-based buffer overflow, which allows execution of arbitrary code with the privileges of the CENTUM user.

CVE-2014-0784 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.

Exploits that target these vulnerabilities are publicly available and an attacker with a low skill would be able to exploit these vulnerabilities.

Yokogawa created a patch (CENTUM CS 3000 R3.09.50) to mitigate the reported vulnerabilities. To activate the patch software, the computer needs to reboot. Older versions of the CENTUM CS 3000 will need to update to the latest version of R3.09.50 before installing the patch software.

Yokogawa also suggests users to introduce appropriate security measures to the overall system, not just for the vulnerabilities identified.

For more information, click here to read the advisory Yokogawa published.



Leave a Reply

You must be logged in to post a comment.