Yokogawa CENTUM and Exaopc

Monitor6.5ICS-CERT ICSA-18-102-01Apr 12, 2018

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

Yokogawa CENTUM distributed control system products and Exaopc software contain a privilege escalation vulnerability (CWE-284) that allows a local attacker to manipulate system or process alarm displays. Affected versions include CENTUM VP and variants (up to R6.03.10), CENTUM CS 1000/3000 (all versions), B/M9000 VP/CS (all versions), and Exaopc (up to R3.75.00). Exploitation requires local access with user-level privileges and high technical skill; no remote exploitation is possible. The vulnerability could allow an attacker to generate false alarms or block legitimate alarm displays, potentially interfering with safe plant operation monitoring.

What this means

What could happen

A local attacker with legitimate system access could manipulate alarm displays or create false alarms in your CENTUM or Exaopc control system, potentially masking real process problems or triggering unnecessary emergency responses.

Who's at risk

Water utilities and power plants using Yokogawa CENTUM distributed control systems (VP, VP Small, VP Basic, CS 1000, CS 3000 variants) or Exaopc data management software should assess if they are running vulnerable versions. The risk is highest for organizations where engineering staff share workstations or where physical security controls on operator stations are weak.

How it could be exploited

An attacker with local access to an engineering workstation running vulnerable CENTUM or Exaopc software could exploit this vulnerability to interfere with the alarm management system. The attacker would need to modify system files or memory related to alarm processing while having active user-level privileges on the compromised PC.

Prerequisites

Local access to an engineering workstation or operator console running vulnerable CENTUM or Exaopc software
User-level or higher privileges on the affected PC
Knowledge of internal alarm system architecture and memory layouts

Local access required but not remotely exploitableaffects safety-critical alarm systemsmultiple products at end-of-support with no patches availablelow exploit probability but high complexity

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (9)

4 with fix2 pending3 EOL

ProductAffected VersionsFix Status

B/M9000 CS: all versionsAll versionsNo fix yet

B/M9000 VP:≤ R8.01.01No fix yet

CENTUM VP Basic:≤ R6.03.10R5.04.B2 or R6.04.00

CENTUM CS 1000: all versionsAll versionsNo fix (EOL)

CENTUM CS 3000:≤ R3.09.50No fix (EOL)

CENTUM CS 3000: Small≤ R3.09.50No fix (EOL)

Exaopc:≤ R3.75.00R3.76.00

CENTUM VP Small:≤ R6.03.10R5.04.B2 or R6.04.00

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict local access to engineering workstations running CENTUM or Exaopc software; limit logins to authorized personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CENTUM VP, CENTUM VP Small, and CENTUM VP Basic to version R5.04.B2 or R6.04.00 or later

HOTFIXUpdate Exaopc to version R3.76.00 or later

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: CENTUM CS 1000: all versions, CENTUM CS 3000:, CENTUM CS 3000: Small. Apply the following compensating controls:

HARDENINGFor CENTUM CS 1000, CENTUM CS 3000, and CENTUM CS 3000 Small (end-of-support products with no updates available), plan migration to CENTUM VP

HARDENINGIsolate control system networks and operator stations from the business network using firewalls and network segmentation

CVEs (1)

CVE-2018-8838

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bb41d24b-8c98-4d4c-8d62-b8c01cee1771