Yokogawa License Manager Service

Plan Patch8.1ICS-CERT ICSA-19-029-01Jan 29, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A vulnerability in the access control mechanism of the License Manager Service in Yokogawa products allows an attacker to remotely upload and execute arbitrary files. Affected products include CENTUM VP (R5.01.00–R6.06.00), CENTUM VP Entry Class (R5.01.00–R6.06.00), B/M9000 VP (R7.01.01–R8.02.03), ProSafe-RS (R3.01.00–R4.04.00), and PRM (R4.01.00–R4.02.00). The vulnerability is classified as CWE-434 (unrestricted upload of file with dangerous type).

What this means

What could happen

An attacker could upload and execute arbitrary code on the License Manager Service, potentially compromising control system devices and allowing modification of critical process parameters or shutdown of operations.

Who's at risk

Water authorities and utilities operating Yokogawa distributed control systems (CENTUM VP, B/M9000 VP), safety-critical systems (ProSafe-RS), and production resource management platforms (PRM) should prioritize this. The License Manager Service is typically part of the supervisory control architecture managing process automation across multiple production units.

How it could be exploited

An attacker with network access to port 8080 (typical for Yokogawa License Manager Service) can bypass access controls and upload a malicious file. The service then executes the uploaded file, giving the attacker code execution on the device.

Prerequisites

Network access to the License Manager Service port (typically port 8080)
No authentication credentials required
License Manager Service must be running and reachable from the attacker's network

remotely exploitableno authentication requiredlow complexityhigh EPSS score (8.7%)no patch available

Exploitability

Moderate exploit probability (EPSS 8.7%)

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

CENTUM VP: (R5.01.00 - R6.06.00)≥ R5.01.00 | ≤ R6.06.00No fix (EOL)

B/M9000 VP: (R7.01.01 - R8.02.03)≥ R7.01.01 | ≤ R8.02.03No fix (EOL)

ProSafe-RS: (R3.01.00 - R4.04.00)≥ R3.01.00 | ≤ R4.04.00No fix (EOL)

PRM: (R4.01.00 - R4.02.00)≥ R4.01.00 | ≤ R4.02.00No fix (EOL)

CENTUM VP Entry Class: (R5.01.00 - R6.06.00)≥ R5.01.00 | ≤ R6.06.00No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDImplement network firewall rules to restrict access to the License Manager Service port (typically port 8080) to only authorized engineering workstations

WORKAROUNDDisable the License Manager Service if not actively required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected Yokogawa products (CENTUM VP, CENTUM VP Entry Class, B/M9000 VP, ProSafe-RS, PRM) to the latest available firmware release beyond the affected version ranges

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: CENTUM VP: (R5.01.00 - R6.06.00), B/M9000 VP: (R7.01.01 - R8.02.03), ProSafe-RS: (R3.01.00 - R4.04.00), PRM: (R4.01.00 - R4.02.00), CENTUM VP Entry Class: (R5.01.00 - R6.06.00). Apply the following compensating controls:

HARDENINGIsolate Yokogawa control system networks from the business network using a demilitarized zone (DMZ) or air gap

HARDENINGImplement network segmentation to ensure License Manager Service is not accessible from the Internet

HARDENINGUse a VPN with current security patches for any required remote access to License Manager Service

CVEs (1)

CVE-2019-5909

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7216c8a2-01b5-45d2-815e-ed725b773f17