Yokogawa Centum Buffer Overflow Vulnerability
Act NowICS-CERT ICSA-14-189-01Apr 10, 2014
Summary
A buffer overflow vulnerability exists in Yokogawa Centum control system products (CS 1000, CS 3000, VP, Entry Class variants, Exaopc, and B/M9000 series). The vulnerability is triggered by input that exceeds buffer bounds, potentially allowing code execution on affected engineering workstations and process servers. No vendor fix is currently available for any affected product line.
What this means
What could happen
A buffer overflow in Yokogawa control systems could allow an attacker to execute arbitrary code on the engineering workstation or process server, potentially disrupting process monitoring, alarming, and control functions in water treatment, power generation, or chemical processing facilities.
Who's at risk
Operators of water treatment plants, electric utilities, chemical processing, and other critical infrastructure using Yokogawa Centum CS 1000/3000, Centum VP, Exaopc, or B/M9000 control systems should be concerned. Impact is highest on engineering workstations and process servers that have direct process control authority.
How it could be exploited
An attacker with network access to a Yokogawa Centum or similar control system workstation or server could send a specially crafted message or input that overflows a buffer in the application memory, overwriting adjacent memory and allowing execution of attacker-controlled code on the affected system.
Prerequisites
- Network access to the affected Yokogawa control system (Centum engineering workstation, VP server, or Exaopc machine)
- The vulnerable application running with no additional input validation in place
No patch available from vendorHigh EPSS score (29%)Buffer overflow can lead to code executionAffects critical infrastructure control systems
Exploitability
High exploit probability (EPSS 29.0%)
Affected products (8)
8 EOL
ProductAffected VersionsFix Status
CENTUM CS 3000: <=R3.09.50≤ R3.09.50No fix (EOL)
CENTUM VP: <=R5.03.20≤ R5.03.20No fix (EOL)
CENTUM VP Entry Class: <=R5.03.20≤ R5.03.20No fix (EOL)
Exaopc: <=R3.72.00≤ R3.72.00No fix (EOL)
B/M9000CS: <=R5.05.01≤ R5.05.01No fix (EOL)
B/M9000 VP: <=R7.03.01≤ R7.03.01No fix (EOL)
CENTUM CS 1000: All_revisionsAll revisionsNo fix (EOL)
CENTUM CS 3000 Entry Class: <=R3.09.50≤ R3.09.50No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/1WORKAROUNDApply input validation and bounds checking at network entry points if possible through firewall rules or industrial protocol filters to reject oversized or malformed messages to Centum systems
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor Yokogawa release notes and contact Yokogawa support for any patch availability; request timelines for fixes to affected product lines (Centum CS 1000/3000, Centum VP, Exaopc, B/M9000 series)
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: CENTUM CS 3000: <=R3.09.50, CENTUM VP: <=R5.03.20, CENTUM VP Entry Class: <=R5.03.20, Exaopc: <=R3.72.00, B/M9000CS: <=R5.05.01, B/M9000 VP: <=R7.03.01, CENTUM CS 1000: All_revisions, CENTUM CS 3000 Entry Class: <=R3.09.50. Apply the following compensating controls:
HARDENINGImplement network segmentation to restrict access to Yokogawa Centum/VP systems from untrusted networks; limit communication to engineering workstations, operator stations, and field devices on the control network only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/797dbb99-6d00-4932-930e-5cf038d5cd2b