Yokogawa CENTUM and ProSafe-RS

Act NowCVSS 7.5ICS-CERT ICSA-22-123-01May 3, 2022

Yokogawa

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in Yokogawa CENTUM VP, ProSafe-RS, and B/M9000 VP distributed control and safety systems. The vulnerabilities include authentication bypass (CWE-287), OS command injection (CWE-78), null pointer dereference (CWE-476), and improper input validation (CWE-20). Successful exploitation could allow an attacker with network access to leak or tamper with process data, cause denial of service, or execute arbitrary code on the engineering workstation or server. B/M9000 VP is indirectly affected if CENTUM is installed on the same PC.

What this means

What could happen

An attacker could crash your distributed control system (DCS) causing a denial of service, or tamper with process data and parameters if they reach the engineering workstation or engineering servers running affected Yokogawa software.

Who's at risk

Water utilities and power generation facilities running Yokogawa CENTUM VP (versions R6.01.10–R6.09.00 or R4.x), ProSafe-RS (versions R4.01.00–R4.07.00), and B/M9000 VP (versions R6.01.01–R6.03.02 or R8.01.01–R8.03.01) on engineering workstations or control servers are affected. These are distributed control systems (DCS) and safety-instrumented systems (SIS) used to manage critical process operations.

How it could be exploited

An attacker with network access to the engineering workstation or server running CENTUM VP or ProSafe-RS could send a specially crafted network request to a vulnerable component. The vulnerabilities include authentication bypass and OS command injection, allowing the attacker to crash the service or execute arbitrary commands on the system.

Prerequisites

Network access to the engineering workstation or engineering server running CENTUM VP, B/M9000 VP, or ProSafe-RS (typically port 10000 or similar)
Vulnerable versions must be installed: CENTUM VP R6.01.10–R6.09.00 (with VP6E5000), R6.01.10–R6.07.10 (with VP6E5100); ProSafe-RS R4.01.00–R4.07.00 (with RS4E5000), R4.01.00–R4.05.00 (with RS4E5100); B/M9000 VP R6.01.01–R6.03.02 or R8.01.01–R8.03.01

Remotely exploitable over the networkHigh EPSS score (15.8%)No fix available for CENTUM VP R4.01.00–R4.03.00 (end-of-life)Affects safety-instrumented systems (ProSafe-RS)Can cause denial of service to critical control systemsAuthentication bypass possible (CWE-287)OS command injection possible (CWE-78)

Exploitability

Likely to be exploited — EPSS score 15.8%

Affected products (6)

6 pending

ProductAffected VersionsFix Status

B/M9000 VP: R6.01.01 through R6.03.02≥ R6.01.01 | ≤ R6.03.02No fix yet

B/M9000 VP: R8.01.01 through R8.03.01≥ R8.01.01 | ≤ R8.03.01No fix yet

CENTUM VP (Including CENTUM VP Entry Class): R6.01.10 through R6.09.00 - (if VP6E5000 is installed)≥ R6.01.10 | ≤ R6.09.00 - (if VP6E5000 is installed)No fix yet

CENTUM VP (Including CENTUM VP Entry Class): R6.01.10 through R6.07.10 - if VP6E5000 or VP6E5100 are installed≥ R6.01.10 | ≤ R6.07.10 (if P6E5000 or P6E5100 are installed)No fix yet

Prosafe-RS: R4.01.00 through R4.07.00 - if RS4E5000 is installed≥ R4.01.00 | ≤ R4.07.00 (if RS4E5000 is installed)No fix yet

Prosafe-RS: R4.01.00 through R4.05.00 - if RS4E5000 or RS4E5100 are installed≥ R4.01.00 | ≤ R4.05.00 (if RS4E5000 or RS4E5100 are installed)No fix yet

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDFor CENTUM versions R4.01.00 through R4.03.00: Contact Yokogawa support. These products are end-of-life and will not receive patches. Plan a migration or implement network isolation controls.

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CENTUM VP to R6.09.00 and apply patch software R6.09.04. Review R6.09.04 install manual for precautions if your system links an Active Directory server with Plant Resource Manager (PRM).

HOTFIXUpdate ProSafe-RS to version R4.07.02 or later. Review install manual for precautions in environments where ProSafe-RS and CENTUM VP coexist or where Active Directory and PRM are linked.

HOTFIXIf B/M9000 VP is installed on the same PC as CENTUM, update B/M9000 VP to an appropriate revision after patching CENTUM.

Long-term hardening

0/2

HARDENINGPlace engineering workstations and servers running CENTUM VP or ProSafe-RS behind a firewall. Restrict network access from the business network and block any inbound connections from the Internet.

HARDENINGIf remote access to engineering stations is required, use a VPN and ensure it is kept up to date. Verify VPN devices are patched and access is restricted to authorized personnel only.

CVEs (5)

CVE-2022-27188 CVE-2022-26034 CVE-2019-0203 CVE-2018-11782 CVE-2015-0248

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f2f3baa8-cdd6-4b91-a73f-cbff6f6779a3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.