Yokogawa Multiple Products Buffer Overflow Vulnerabilities

Low RiskICS-CERT ICSA-15-253-01Jun 13, 2015

Summary

Yokogawa distributed control system (DCS) and HMI/SCADA products contain buffer overflow vulnerabilities in data processing functions. Affected products include CENTUM CS 1000, CENTUM CS 3000, CENTUM VP, ProSafe-RS safety controller, Exaquantum historian, Exapilot, Exaplog, Exasmoc, Exarqe, STARDOM VDS, STARDOM OPC Server, FAST/TOOLS engineering suite, B/M9000CS, B/M9000 VP, FieldMate configuration tool, Field Wireless Device OPC Server, PRM, and Exaopc. An attacker could exploit these to run arbitrary code on control system equipment.

What this means

What could happen

A buffer overflow in Yokogawa distributed control system (DCS) and HMI/SCADA software could allow an attacker with local or network access to execute arbitrary code on critical plant control systems, potentially disrupting process operations or altering control setpoints.

Who's at risk

Water treatment and distribution utilities, municipal electric systems, and any facility using Yokogawa distributed control systems (DCS) are affected. Specific equipment at risk includes CENTUM control system consoles, CENTUM VP engineering workstations, ProSafe-RS redundancy controllers, Exaquantum/Batch historian and operator consoles, STARDOM automation servers, and OPC servers that bridge ICS networks to IT systems. Field wireless gateway servers and FieldMate device configuration tools are also vulnerable.

How it could be exploited

An attacker would need to send a specially crafted input to a vulnerable Yokogawa product (DCS console, HMI, OPC server, or engineering tool) that processes data without proper bounds checking. The overflow could overwrite memory and redirect program execution to attacker-controlled code.

Prerequisites

Network or local access to an affected Yokogawa product component
A vulnerable version of the product running (R3.08.70 or earlier for CENTUM CS 1000, R5.04.20 or earlier for CENTUM VP, etc.)
Ability to send crafted input to the vulnerable parsing/processing function

No patch available for any affected productBuffer overflow (CWE-121) can lead to arbitrary code executionAffects critical DCS and safety system components (ProSafe-RS)Multiple product lines affected across entire Yokogawa platformPotentially remotely exploitable via OPC servers and network interfaces

Exploitability

Moderate exploit probability (EPSS 7.5%)

Affected products (21)

21 EOL

ProductAffected VersionsFix Status

CENTUM CS 1000: <=R3.08.70≤ R3.08.70No fix (EOL)

CENTUM CS 3000: <=R3.09.50≤ R3.09.50No fix (EOL)

CENTUM VP: <=R5.04.20≤ R5.04.20No fix (EOL)

CENTUM VP Entry: <=R5.04.20≤ R5.04.20No fix (EOL)

ProSafe-RS: <=R3.02.10≤ R3.02.10No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIdentify and document all Yokogawa DCS, HMI, OPC Server, and engineering tool installations in your network with affected versions (CENTUM CS, CENTUM VP, ProSafe-RS, Exaquantum, STARDOM, FAST/TOOLS, etc.)

HARDENINGImplement network segmentation to restrict access to Yokogawa control systems from untrusted networks and engineering workstations; use firewall rules to limit inbound connections to necessary management ports only

WORKAROUNDDisable or restrict remote access capabilities on Yokogawa products where not required for operations

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: CENTUM CS 1000: <=R3.08.70, CENTUM CS 3000: <=R3.09.50, CENTUM VP: <=R5.04.20, CENTUM VP Entry: <=R5.04.20, ProSafe-RS: <=R3.02.10, Exaopc: <=R3.72.00, Exaquantum: <=R2.85.00, Exaquantum/Batch: <=R2.50.30, Exapilot: <=R3.96.10, Exaplog: <=R3.40.00, Exasmoc: <=R4.03.20, Exarqe: <=R4.03.20, Field Wireless Device OPC Server: <=R2.01.02, PRM: <=R3.12.00, STARDOM OPC Server for Windows: <=R3.40, FAST/TOOLS: <=R10.01, B/M9000CS: <=R5.05.01, B/M9000 VP: <=R7.03.04, FieldMate: R1.01|R1.02, CENTUM CS 3000 Entry: <=R3.09.50, STARDOM VDS: <=R7.30.01. Apply the following compensating controls:

HARDENINGMonitor Yokogawa vendor advisories for security patches or workarounds; engage Yokogawa directly to request update availability for affected products

HARDENINGPlan equipment replacement or upgrade strategy for products where no fix is available, prioritizing systems in critical process paths

CVEs (3)

CVE-2015-5626 CVE-2015-5627 CVE-2015-5628

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cf24d624-cc5c-4974-84df-50099a778810