Yokogawa CENTUM

Plan Patch8.5ICS-CERT ICSA-24-172-01Jun 20, 2024

Summary

Yokogawa CENTUM CS 3000 and CENTUM VP controllers contain an improper access control flaw (CWE-284) that allows an attacker with network access to execute arbitrary programs on the device. This vulnerability affects CENTUM CS 3000 (R3.08.10–R3.09.50) and multiple CENTUM VP version families (R4.01.00–R4.03.00, R5.01.00–R5.04.20, and R6.01.00–R6.11.10). Successful exploitation could enable an attacker to run unauthorized commands on the controller, compromising process control.

What this means

What could happen

An attacker who gains access to a Yokogawa CENTUM control system could execute arbitrary programs on the device, potentially allowing them to modify setpoints, halt operations, or disrupt critical process control in energy generation or manufacturing facilities.

Who's at risk

Energy and manufacturing organizations operating Yokogawa CENTUM control systems for process automation should care. This affects CENTUM CS 3000 systems and CENTUM VP systems across multiple version families used to control critical infrastructure like power plants and process manufacturing facilities.

How it could be exploited

An attacker with network access to the CENTUM device (or through an engineering workstation connected to it) could exploit an improper access control flaw to run unauthorized commands or programs on the controller, gaining effective control over plant operations.

Prerequisites

Network access to CENTUM CS 3000 or CENTUM VP device on port 502 or engineering interface
Access to engineering workstation or direct network path to the control system

remotely exploitableno patch available for CENTUM CS 3000 and older CENTUM VP versionshigh CVSS (8.5)affects control systems

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (4)

4 pending

ProductAffected VersionsFix Status

CENTUM CS 3000 (Including CENTUM CS 3000 Entry Class): >=R3.08.10|<=R3.09.50≥ R3.08.10|≤ R3.09.50No fix yet

CENTUM VP (Including CENTUM VP Entry Class): >=R4.01.00|<=R4.03.00≥ R4.01.00|≤ R4.03.00No fix yet

CENTUM VP (Including CENTUM VP Entry Class): >=R5.01.00|<=R5.04.20≥ R5.01.00|≤ R5.04.20No fix yet

CENTUM VP (Including CENTUM VP Entry Class): >=R6.01.00|<=R6.11.10≥ R6.01.00|≤ R6.11.10No fix yet

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGPlace CENTUM devices behind a firewall and isolate control system network from business network

WORKAROUNDRestrict network access to CENTUM engineering interfaces; use firewall rules to limit which workstations can reach the device

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CENTUM VP systems to version R6.11.12 or later

HARDENINGIf remote access to CENTUM is required, use a VPN and ensure it is kept updated

Long-term hardening

0/2

HARDENINGFor CENTUM CS 3000 and older CENTUM VP versions (R4.x, R5.x, R6.0–R6.11.10): replace with newer CENTUM VP R6.11.12 or later, or implement compensating network controls

HARDENINGEstablish or strengthen anti-virus, backup/recovery, whitelisting, and network hardening practices across the control system environment

CVEs (1)

CVE-2024-5650

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/76b27427-4196-4b93-a296-5413a29403d0