Yokogawa FAST/TOOLS and CI Server
Monitor6.9ICS-CERT ICSA-24-179-03Jun 27, 2024
Summary
FAST/TOOLS and CI Server contain script injection vulnerabilities (CWE-79, CWE-258) in versions R9.01 through R10.04 and R1.01.00 through R1.03.00 respectively. These allow an attacker to inject and execute malicious scripts, potentially gaining control of affected systems. The vulnerabilities affect multiple FAST/TOOLS packages including RVSVRN, UNSVRN, HMIWEB, FTEES, and HMIMOB. Successful exploitation could allow an attacker to take control of the engineering platform and alter industrial process configurations or setpoints.
What this means
What could happen
An attacker could inject malicious scripts into FAST/TOOLS or CI Server to execute arbitrary code and take control of the engineering workstations or servers, potentially allowing them to modify process configurations, setpoints, or alarm thresholds in connected industrial equipment.
Who's at risk
Energy and manufacturing organizations using Yokogawa FAST/TOOLS (versions R9.01 through R10.04) or CI Server (versions R1.01.00 through R1.03.00) for engineering workstations, human-machine interfaces, and process automation configuration are affected. This includes facilities that rely on these systems for remote monitoring, configuration, or data exchange with industrial control systems.
How it could be exploited
An attacker with network access to a FAST/TOOLS or CI Server instance could inject a malicious script (CWE-79 indicates cross-site scripting or similar script injection). Once the script runs, the attacker gains code execution on that system, which could then be used to modify industrial process parameters or configurations managed through the software.
Prerequisites
- Network access to FAST/TOOLS or CI Server web interface or API
- User interaction may be required to trigger script execution (depending on injection vector)
- No authentication required if the injection point is accessible to unauthenticated users
no patch available for versions R9.01 to R10.04script injection vulnerability allows arbitrary code executionaffects engineering workstations with access to industrial systemsdefault credentials may still be in use
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (6)
1 with fix5 pending
ProductAffected VersionsFix Status
FAST/TOOLS RVSVRN Package: >=R9.01|<=R10.04≥ R9.01|≤ R10.04No fix yet
FAST/TOOLS UNSVRN Package: >=R9.01|<=R10.04≥ R9.01|≤ R10.04No fix yet
FAST/TOOLS HMIWEB Package: >=R9.01|<=R10.04≥ R9.01|≤ R10.04No fix yet
FAST/TOOLS FTEES Package: >=R9.01|<=R10.04≥ R9.01|≤ R10.04No fix yet
FAST/TOOLS HMIMOB Package: >=R9.01|<=R10.04≥ R9.01|≤ R10.04No fix yet
CI Server: >=R1.01.00|<=R1.03.00≥ R1.01.00|≤ R1.03.00R1.03.00 with patch R10.04 SP3
Remediation & Mitigation
0/5
Do now
0/2HARDENINGChange the default account password for both FAST/TOOLS and CI Server if it has not already been changed
HARDENINGRestrict network access to FAST/TOOLS and CI Server to authorized engineering workstations only using firewall rules or network segmentation
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate FAST/TOOLS to R10.04, then apply patch software R10.04 SP3, followed by patch software I12560
HOTFIXUpdate CI Server to R1.03.00 and apply patch software R10.04 SP3
Long-term hardening
0/1HARDENINGImplement input validation and output encoding on web interfaces to prevent script injection attacks
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/9e0e047e-b84a-4f6f-820c-4a207e8a434f