Yokogawa created patches for a series of buffer overflow vulnerabilities affecting several of its products.
Juan Vazquez of Rapid7 Inc., and independent researcher Julian Vilas Diaz reported to CERT/CC that they identified several vulnerabilities for the Yokogawa CENTUM CS 3000 application. In the investigation of this report, Yokogawa found other products that could also have issues.
CERT/CC, NCCIC/ICS-CERT, and JPCERT coordinated with Rapid7 and Yokogawa to mitigate these remotely exploitable vulnerabilities.
The following Yokogawa products suffer from all four buffer overflow vulnerabilities:
• CENTUM CS 1000 all revisions
• CENTUM CS 3000 Entry Class R3.09.50 and earlier
• CENTUM VP R5.03.00 and earlier
• CENTUM VP Entry Class R5.03.00 and earlier
• Exaopc R3.71.02 and earlier
• B/M9000CS R5.05.01 and earlier
• B/M9000 VP R7.03.01 and earlier
The following Yokogawa products are affected only by the heap-based buffer overflow:
• ProSafe-RS R1.03.00 and earlier
• Exapilot R3.96.00 and earlier
• Exaplog R3.40.00 and earlier
• Exaquantum R2.02.50 to R2.80.00
• Exasmoc R4.03.20 and earlier
• Exarqe R4.03.20 and earlier
• AAASuite R1.20.13 and earlier
• PRM R3.11.20 and earlier
• STARDOM FCN/FCJ OPC Server for Windows R3.40.01 and earlier
• Field Wireless Device OPC Server R2.01.01 and earlier
• DAQOPC R3.01 and earlier
• FieldMate R1.03 and earlier
• EJXMVTool R1.02.00 to R1.02.02
• RPO Production Supervisor VP R1.03.00 and earlier
• CENTUM Long-term Trend Historian all versions
• CENTUM Event Viewer Package all versions
Successful exploitation of these vulnerabilities could allow an attacker to perform a denial of service (DoS) or potentially acquire system privileges to execute arbitrary code.
Yokogawa is a Japan-based company that maintains offices on several continents, including North and Central America, South America, Europe, Middle East, Africa, and parts of Asia.
• CENTUM VP is an integrated production control system.
• Exaopc is an OPC server for data access, alarms and events, historical data access, batch information, and a security interface for CENTUM series process control systems.
• B/M9000CS and B/M9000 VP are quality control systems for use in the pulp and paper industry.
• ProSafe-RS is a PLC that functions as a distributed control system and a safety instrumented system.
• Exapilot is an online navigation tool that guides operators step by step through plant operating procedures.
• Exaplog is an event analysis package.
• Exaquantum is a comprehensive plant information management system.
• Exasmoc is a multi-variable control APC suite.
• Exarqe is a software package designed to provide product quality signal as feedback to APC applications.
• AAASuite is an alarm management system.
• PRM is a plant asset management software tool that works with production control systems.
• STARDOM is a network-based control system.
• Field Wireless Device OPC Server provides data from a field wireless gateway to the OPC client via an OPC interface.
• FieldMate is a device management tool.
Yokogawa said these products see use across several sectors including critical manufacturing, energy, and food and agriculture. Yokogawa estimates these systems have installations worldwide.
Heap-based buffer overflow: In the first vulnerability listed, there is a heap-based buffer overflow in Yokogawa’s “BKCLogSvr.exe” service, which starts automatically with the system, and listens by default on Port 52302/UDP. By sending a specially crafted sequence of packets to Port 52302/UDP, it is possible to trigger a heap-based buffer overflow after a usage of uninitialized data, which allows an attacker to DoS the BKCLogSvr.exe and could allow execution of arbitrary code with system privileges.
CVE-2014-0781 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
Stack-based buffer overflow: Yokogawa’s “BKHOdeq.exe” service, which started when running the FCS /Test Function, listens by default on Ports 20109/TCP, and 20171/TCP. By sending a specially crafted packet to Port 20171/TCP, it is possible to trigger a stack-based buffer overflow, which allows execution of arbitrary code with the privileges of the CENTUM user.
CVE-2014-0783 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.0.
Stack-based buffer overflow: Yokogawa’s “BKBCopyD.exe” service, which starts when running the FCS /Test Function, listens by default on Port 20111/TCP. By sending a specially crafted packet to Port 20111/TCP, it is possible to trigger a stack-based buffer overflow, which allows execution of arbitrary code with the privileges of the CENTUM user.
CVE-2014-0784 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.
Stack-based buffer overflow: Yokogawa’s “BKESimmgr.exe” service that started automatically on the system startup by default, which installed Expanded Test Functions Package, listens on TCP/34205. By sending a specially crafted packet to the Port 34205/TCP, it is possible to trigger a stack-based buffer overflow that allows execution of arbitrary code with the privileges of the CENTUM user.
CVE-2014-0782 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.
Exploits that target these vulnerabilities are publicly available and an attacker with a low skill would be able to exploit these vulnerabilities.
Yokogawa has provided patch software for the latest revisions of the affected products. For details about individual countermeasures by the affected product, please refer to Yokogawa’s Security Advisory Report.
To activate the patch software, the computer needs to reboot. In case the system uses earlier versions of the software, than the ones for which there are software patches, the user will need to upgrade to the revisions/versions mentioned in the table in the Yokogawa Security Advisory Report and then apply for the software patches.