Yokogawa STARDOM Controllers (Update A)

Plan PatchCVSS 9.8ICS-CERT ICSA-18-151-03May 31, 2018

Yokogawa

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Yokogawa STARDOM controller family contains multiple critical vulnerabilities: hardcoded credentials (CWE-798), insufficient credential protection (CWE-522), session fixation (CWE-384), and denial-of-service memory exhaustion (CWE-400). An attacker with network access can authenticate using hardcoded credentials and execute arbitrary code on affected controllers. The vulnerabilities affect FCN-100, FCN-500, FCN-RTU, and FCJ models running firmware versions R4.10 and prior (R4.02 and prior for some models). Successful exploitation could allow remote code execution, unauthorized access, or denial of service on control systems managing critical processes.

What this means

What could happen

An attacker with network access to a STARDOM controller could execute arbitrary commands on the device, potentially altering process setpoints, stopping operations, or causing a denial of service on critical infrastructure like power distribution or water treatment systems.

Who's at risk

Water utilities, municipal electric utilities, and other critical infrastructure operators running Yokogawa STARDOM distributed control systems (FCN-100, FCN-500, FCN-RTU, and FCJ models) should prioritize this issue. These controllers are commonly used to manage and monitor processes in water treatment, power distribution, and HVAC systems.

How it could be exploited

An attacker on the network can send a specially crafted request to the STARDOM controller. The device has hardcoded credentials, no session protection, and inadequate credential encryption, allowing the attacker to authenticate and execute arbitrary code with high privileges.

Prerequisites

Network access to the STARDOM controller (directly or via industrial network)
Knowledge of hardcoded credentials (publicly documented or discoverable)
Device running vulnerable firmware version (R4.10 or earlier for FCN-RTU/FCJ, R4.02 or earlier for FCN-100/FCN-500)

Remotely exploitableNo authentication required (hardcoded credentials)Low complexity exploitationNo patch available for some versions (end-of-life models)Affects critical infrastructure control systemsDefault/hardcoded credentials

Exploitability

Some exploitation risk — EPSS score 6.5%

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

STARDOM Controller FCN-RTU: (R4.10 and prior)≤ (R4.10)R4.20+ (partial fix for memory exhaustion only)

STARDOM Controller FCJ: (R4.10 and prior)≤ (R4.10)R4.20+ (partial fix for memory exhaustion only)

STARDOM Controller FCN-500: (R4.02 and prior)≤ (R4.02)R4.20+ (partial fix for memory exhaustion only)

STARDOM Controller FCN-100: (R4.02 and prior)≤ (R4.02)R4.20+ (partial fix for memory exhaustion only)

STARDOM Controller FCN-RTU: (R4.02 and prior)≤ (R4.02)R4.20+ (partial fix for memory exhaustion only)

STARDOM Controller FCJ: (R4.02 and prior)≤ (R4.02)R4.20+ (partial fix for memory exhaustion only)

STARDOM Controller FCN-500: (R4.10 and prior)≤ (R4.10)R4.20+ (partial fix for memory exhaustion only)

STARDOM Controller FCN-100: (R4.10 and prior)≤ (R4.10)R4.20+ (partial fix for memory exhaustion only)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to STARDOM controllers using packet filtering rules on the controller itself (FCN packet filter function) and edge firewalls to allow only trusted engineering workstations and automation servers

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade STARDOM FCN/FCJ controller firmware to Version R4.20 or later

Long-term hardening

0/2

HARDENINGImplement network encryption and monitoring to prevent unauthorized capture of communication data between STARDOM devices and connected systems

HARDENINGPlace STARDOM controllers and associated control networks behind firewalls and isolate them from business networks and Internet-facing infrastructure

CVEs (5)

CVE-2018-10592 CVE-2018-17900 CVE-2018-17902 CVE-2018-17896 CVE-2018-17898

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0ccf7b0d-7bcf-4e9d-87ee-6520827124fd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.