Yokogawa FAST/TOOLS and CI Server

MonitorCVSS 6.9ICS-CERT ICSA-24-179-03Jun 27, 2024

YokogawaEnergyManufacturing

Summary

FAST/TOOLS and CI Server contain script injection vulnerabilities (CWE-79, CWE-258) in versions R9.01 through R10.04 and R1.01.00 through R1.03.00 respectively. These allow an attacker to inject and execute malicious scripts, potentially gaining control of affected systems. The vulnerabilities affect multiple FAST/TOOLS packages including RVSVRN, UNSVRN, HMIWEB, FTEES, and HMIMOB. Successful exploitation could allow an attacker to take control of the engineering platform and alter industrial process configurations or setpoints.

What this means

What could happen

An attacker could inject malicious scripts into FAST/TOOLS or CI Server to execute arbitrary code and take control of the engineering workstations or servers, potentially allowing them to modify process configurations, setpoints, or alarm thresholds in connected industrial equipment.

Who's at risk

Energy and manufacturing organizations using Yokogawa FAST/TOOLS (versions R9.01 through R10.04) or CI Server (versions R1.01.00 through R1.03.00) for engineering workstations, human-machine interfaces, and process automation configuration are affected. This includes facilities that rely on these systems for remote monitoring, configuration, or data exchange with industrial control systems.

How it could be exploited

An attacker with network access to a FAST/TOOLS or CI Server instance could inject a malicious script (CWE-79 indicates cross-site scripting or similar script injection). Once the script runs, the attacker gains code execution on that system, which could then be used to modify industrial process parameters or configurations managed through the software.

Prerequisites

Network access to FAST/TOOLS or CI Server web interface or API
User interaction may be required to trigger script execution (depending on injection vector)
No authentication required if the injection point is accessible to unauthenticated users

no patch available for versions R9.01 to R10.04script injection vulnerability allows arbitrary code executionaffects engineering workstations with access to industrial systemsdefault credentials may still be in use

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (6)

1 with fix5 pending

ProductAffected VersionsFix Status

FAST/TOOLS RVSVRN Package: >=R9.01|<=R10.04≥ R9.01|≤ R10.04No fix yet

FAST/TOOLS UNSVRN Package: >=R9.01|<=R10.04≥ R9.01|≤ R10.04No fix yet

FAST/TOOLS HMIWEB Package: >=R9.01|<=R10.04≥ R9.01|≤ R10.04No fix yet

FAST/TOOLS FTEES Package: >=R9.01|<=R10.04≥ R9.01|≤ R10.04No fix yet

FAST/TOOLS HMIMOB Package: >=R9.01|<=R10.04≥ R9.01|≤ R10.04No fix yet

CI Server: >=R1.01.00|<=R1.03.00≥ R1.01.00|≤ R1.03.00R1.03.00 with patch R10.04 SP3

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGChange the default account password for both FAST/TOOLS and CI Server if it has not already been changed

HARDENINGRestrict network access to FAST/TOOLS and CI Server to authorized engineering workstations only using firewall rules or network segmentation

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FAST/TOOLS to R10.04, then apply patch software R10.04 SP3, followed by patch software I12560

HOTFIXUpdate CI Server to R1.03.00 and apply patch software R10.04 SP3

Long-term hardening

0/1

HARDENINGImplement input validation and output encoding on web interfaces to prevent script injection attacks

CVEs (2)

CVE-2024-4105 CVE-2024-4106

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9e0e047e-b84a-4f6f-820c-4a207e8a434f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.