Yokogawa STARDOM

Monitor5.3ICS-CERT ICSA-23-334-02Nov 30, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability in Yokogawa STARDOM FCN/FCJ controllers (versions R1.01 through R4.31) allows a remote attacker to send a specially crafted packet to make the controller unresponsive. The vulnerability requires no authentication. Yokogawa has not released a firmware patch. The company recommends enabling packet filtering (requires upgrade to R4.20 or later) and network-level controls to restrict access to trusted hosts.

What this means

What could happen

An attacker can send a crafted network packet to the FCN/FCJ controller to cause it to stop responding, disrupting any process control or monitoring functions it provides to your facility.

Who's at risk

Water and electric utilities, municipal facilities, and any organization using Yokogawa STARDOM FCN/FCJ controllers for process control, monitoring, or automation. The vulnerability affects all versions from R1.01 through R4.31, which are commonly deployed in legacy and current control systems.

How it could be exploited

An attacker with network access to the FCN/FCJ controller can send a specially crafted packet that causes the device to become unresponsive (denial of service). The attack requires no credentials or user interaction and can be performed remotely over the network.

Prerequisites

Network reachability to FCN/FCJ controller on standard management/control ports
No authentication or credentials required

Remotely exploitableNo authentication requiredLow complexity attackNo patch currently availableDenial of service to control systems

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

STARDOM FCN/FCJ: >=R1.01|<=R4.31≥ R1.01|≤ R4.31No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDEnable the packet filter function on FCN/FCJ to allow connections only from trusted hosts

HARDENINGImplement network-level controls to prevent malicious packets from reaching the FCN/FCJ

HARDENINGImplement firewall rules to restrict network access to FCN/FCJ to only necessary trusted sources

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FCN/FCJ basic software to R4.20 or later to enable and use the packet filter function

Mitigations - no patch available

0/1

STARDOM FCN/FCJ: >=R1.01|<=R4.31 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGEnsure FCN/FCJ controllers are not directly accessible from the internet or business networks

CVEs (1)

CVE-2023-5915

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5bad8f97-f747-42df-8646-d6a66c491ad6