Yokogawa Electric Corp., of Japan, recently patched multiple critical flaws in its control system software that can be abused to suppress alarms, read or write files, crash the server, or execute arbitrary code.
Researchers at cybersecurity firm Dragos have identified ten critical flaws in Yokogawa’s CENTUM VP distributed control system (DCS) and the Exaopc OPC server for CENTUM systems. The remotely exploitable vulnerabilities are related to hard-coded credentials, relative path traversal, improper output neutralization for logs, OS command injection, permissions, privileges, access controls, and uncontrolled resource consumption.
The vulnerabilities, a lot of which have been assigned a “high severity” rating, require local access to the targeted device, while others can be abused by sending specially designed packets to the Consolidated Alarm Management Software (CAMS) for the human interface station (HIS or HMI).
“Most likely, the adversary would need access to the LAN for successful exploitation,” Sam Hanson, vulnerability expert in Dragos' Threat Operations Center, stated. “However, if the HIS is somehow internet-facing then exploitation from the internet is possible.”
Thus far, Dragos researchers have no evidence to suggest that vulnerabilities are exploited in the wild. However, in a real-world attack, a malicious actor could abuse the security loopholes to secure access to the HIS or render it useless by causing a DoS condition.
“An adversary could use these issues to affect a loss of control and loss of view. Depending on the configuration, the adversary could manipulate physical process controls,” Hanson added.
Japanese automation giant has released patches and mitigations for affected products. However, CENTUM CS 3000 products, which have reached the end of life, will not receive updates and users have been recommended to update to CENTUM VP. The company released details about the flaws in January and February, and the US Cybersecurity and Infrastructure Security Agency (CISA) published its own advisory in late March.
“CENTUM VP has been targeted in the past by security researchers. HIS operations involve many file system interactions and therefore there are plenty of places for bugs (such as directory traversals) to appear,” Hanson concluded. “While security has improved over time, Dragos expects more of this type of issue to surface until Yokogawa can find a way to mitigate these issues en masse (through file system permissions, sandboxing, or utilizing a common DLL for file access, etc.).”
Earlier this year in February, Dragos reported that 1,703 ICS/OT vulnerabilities received a CVE identifier in 2021, more than twice as many as in the previous year. More than two-thirds of the security loopholes examined by the firm impacted systems located deep within the industrial network.
