14 DAY TRIAL // Japan-based electrical engineering and software company Yokogawa Electric has addressed four buffer overflow vulnerabilities affecting various industrial control system (ICS) products.
The security holes were identified by Juan Vazquez of Rapid7 and independent researcher Julian Vilas Diaz. They reported their findings to CERT/CC, but NCCIC/ICS-CERT and JPCERT (Japanese CERT) also coordinated the mitigation of the flaws.
The experts found the buffer overflow vulnerabilities in the Yokogawa CENTUM CS 3000 application. However, Yokogawa determined that other products are affected as well.
The vulnerabilities discovered by researchers are the following:
-CVE-2014-0781: heap-based buffer overflow issue in the “BKCLogSvr.exe” service that could be exploited to cause a denial-of-service (DOS) state or to execute arbitrary code with system privileges;
-CVE-2014-0783: stack-based buffer overflow issue in the “BKHOdeq.exe” service that could be leveraged to exploit arbitrary code with the privileges of the CENTUM user;
-CVE-2014-0784: stack-based buffer overflow flaw in the “BKBCopyD.exe” service that allows execution of arbitrary code with the privileges of the CENTUM user;
- CVE-2014-0782: stack-based buffer overflow vulnerability in the “BKESimmgr.exe” service that allows execution of arbitrary code with the privileges of the CENTUM user;
All of these vulnerabilities can be exploited remotely by sending a specially crafted packet to various ports, depending on the targeted service.
Administrators are advised to apply the patches made available by Yokogawa as soon as possible because it doesn’t require too much skill to exploit the flaws. Furthermore, exploits are publicly available.
“Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation,” ICS-CERT noted in its advisory.
CENTUM CS 1000 (all revisions), CENTUM CS 3000 Entry Class R3.09.50, CENTUM VP R5.03.00, CENTUM VP Entry Class R5.03.00, Exaopc R3.71.02, B/M9000CS R5.05.01, and B/M9000 VP R7.03.01 and earlier versions are impacted by all four vulnerabilities.
Products like ProSafe-RS, Exapilot. Exaplog, Exaquantum, Exasmoc, Exarqe, AAASuite, PRM R3.11.20, STARDOM FCN/FCJ OPC Server for Windows, Field Wireless Device OPC Server, DAQOPC, FieldMate, EJXMVTool, RPO Production Supervisor VP, CENTUM Long-term Trend Historian, and CENTUM Event Viewer Package are affected only by the first vulnerability (CVE-2014-0781).
These are systems and tools for product control, quality control, information management, alarm management, device management, event analysis, and asset management. They’re used in sectors like energy, critical manufacturing, and food and agriculture.
Additional details on the vulnerabilities affecting Yokogawa products are available from ICS-CERT.