Yokogawa CENTUM (Update A)

Plan Patch8.1ICS-CERT ICSA-20-224-01Aug 11, 2020

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Yokogawa CENTUM DCS and related products contain multiple vulnerabilities (CWE-287 authentication bypass, CWE-22 path traversal) that allow unauthenticated network attackers to send tampered communication packets, create or overwrite arbitrary files, and execute commands on the control system. Affected products include B/M9000CS (R5.04.01–R5.05.01), CENTUM VP (R4.01.00–R6.07.00), Exaopc (R3.72.00–R3.78.00), CENTUM CS 3000 (R3.08.10–R3.09.50), and B/M9000 VP (R6.01.01–R8.03.01).

What this means

What could happen

An attacker with network access to a vulnerable Yokogawa control system could send malicious packets to tamper with communications, overwrite files, or execute arbitrary commands on the system, potentially disrupting process control or altering operational setpoints.

Who's at risk

Water authorities and electric utilities running Yokogawa CENTUM supervisory control and data acquisition (SCADA) systems, including distributed control systems (DCS) models B/M9000CS, CENTUM VP, CENTUM CS 3000, B/M9000 VP, and Exaopc. Any organization using these systems for real-time process monitoring and control of critical infrastructure is at risk.

How it could be exploited

An attacker must have network access to the affected Yokogawa system (no Internet requirement stated, but assumed to be local network or adjacent network segment). The attacker sends crafted packets that exploit authentication or path validation flaws to either intercept/modify control communications or write files to arbitrary locations on the server, then execute commands to alter system behavior.

Prerequisites

Network access to the vulnerable Yokogawa device on the control system network
No credentials required for exploitation

no authentication requiredlow complexity attackno patch available for multiple product versionsaffects critical control systems

Exploitability

Moderate exploit probability (EPSS 4.5%)

Affected products (5)

2 with fix2 pending1 EOL

ProductAffected VersionsFix Status

B/M9000CS:≥ R5.04.01 | ≤ R5.05.01No fix yet

B/M9000 VP:≥ R6.01.01 | ≤ R8.03.01No fix yet

CENTUM CS 3000:≥ R3.08.10 | ≤ R3.09.50 (Including CENTUM CS 3000 Entry Class)No fix (EOL)

Exaopc: (R3.72.00 - R3.78.00)≥ R3.72.00 | ≤ R3.78.00R3.78.10 or later

CENTUM VP:≥ R4.01.00 | ≤ R6.07.00 (Including CENTUM VP Entry Class)R5.04.D1 (for R5.01.00–R5.04.20) or R6.07.11 (for R6.01.00–R6.07.00) or latest revision (for R4.01.00–R4.03.00)

Remediation & Mitigation

0/7

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

B/M9000 VP:

HOTFIXB/M9000CS and B/M9000 VP: If CENTUM CS 3000 is installed on the same PC, update to suitable revision; if CENTUM VP is installed, update B/M9000 VP to suitable revision

All products

HOTFIXExaopc: Update to R3.78.10 or later

HOTFIXCENTUM VP R5.01.00 – R5.04.20: Apply patch R5.04.D1

HOTFIXCENTUM VP R6.01.00 – R6.07.00: Apply patch R6.07.11

HOTFIXCENTUM CS 3000 R3.08.10 – R3.09.50 (end-of-support products): Upgrade to latest CENTUM VP revision instead of patching

Mitigations - no patch available

0/2

CENTUM CS 3000: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGLocate control system networks and remote devices behind firewalls and isolate from the business network to restrict attacker network access

HARDENINGMinimize network exposure for all control system devices and ensure they are not accessible from the Internet

CVEs (2)

CVE-2020-5608 CVE-2020-5609

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1e1f3dd2-8dc2-471e-9ffd-7840db4cd1fb