Yokogawa Vnet/IP Open Communication Driver

Monitor7.5ICS-CERT ICSA-19-003-02Jan 3, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Vnet/IP Open Communication Driver in Yokogawa control system products contains a denial of service vulnerability that can be exploited remotely to cause network communications to controlled devices to become unavailable. An attacker can send specially crafted network packets to cause the Vnet/IP driver to stop responding, disrupting communication between engineering workstations and field devices (PLCs, I/O modules, process control nodes).

What this means

What could happen

An attacker could disrupt network communication between your engineering workstations and your PLCs/field devices, making control system devices unreachable and potentially halting automated operations until communication is restored.

Who's at risk

Operators of Yokogawa CENTUM VP, CENTUM VP Entry Class, B/M9000 VP, CENTUM CS 3000, PRM, Exaopc, FAST/TOOLS, and ProSafe-RS systems should assess whether their deployed versions fall within the affected ranges. These are control system engineering platforms and communication drivers used in process automation and safety instrumentation across oil & gas, chemicals, power, and water/wastewater sectors.

How it could be exploited

An attacker on your network or with network access to a device running the affected Vnet/IP driver could send a crafted network message to the driver port, causing it to stop responding. The driver handles communications for CENTUM VP, B/M9000 VP, ProSafe-RS, and other Yokogawa control systems, so disruption affects all devices downstream.

Prerequisites

Network access to the Vnet/IP driver port on an affected Yokogawa system
No credentials or authentication required
Knowledge of the affected driver version running on target system

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical control system communications

Exploitability

Moderate exploit probability (EPSS 1.7%)

Affected products (9)

9 EOL

ProductAffected VersionsFix Status

CENTUM VP Entry Class: (R4.01.00 - R6.03.10)≥ R4.01.00 | ≤ R6.03.10No fix (EOL)

B/M9000 VP: (R6.03.01 - R8.01.90)≥ R6.03.01 | ≤ R8.01.90No fix (EOL)

CENTUM VP: (R4.01.00 - R6.03.10)≥ R4.01.00 | ≤ R6.03.10No fix (EOL)

Exaopc: (R3.10.00 - R3.75.00)≥ R3.10.00 | ≤ R3.75.00No fix (EOL)

CENTUM CS 3000: (R3.05.00 - R3.09.50)≥ R3.05.00 | ≤ R3.09.50No fix (EOL)

ProSafe-RS: (R1.02.00 - R4.02.00)≥ R1.02.00 | ≤ 4.02.00No fix (EOL)

PRM: (R2.06.00 - R3.31.00)≥ R2.06.00 | ≤ R3.31.00No fix (EOL)

FAST/TOOLS: (R9.02.00 - R10.02.00)≥ R9.02.00 | ≤ R10.02.00No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDMonitor for signs of network denial of service (excessive traffic, device unreachability)

WORKAROUNDReview Yokogawa Security Advisory Report YSAR-18-0008 for detailed guidance on affected versions and any updates available beyond the stated version ranges

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGIsolate control system networks behind firewalls and from the business network to restrict network access to Vnet/IP drivers

HARDENINGImplement network segmentation to restrict which systems can reach Yokogawa control devices

CVEs (1)

CVE-2018-16196

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ec80a312-2ed2-41e4-be3c-722033fb280f