Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Researchers Detail Critical Vulnerabilities in SCADA Product

Two security researchers uncovered vulnerabilities affecting a SCADA product that can be potentially used to compromise operations at critical infrastructure companies.

Two security researchers uncovered vulnerabilities affecting a SCADA product that can be potentially used to compromise operations at critical infrastructure companies.

The findings were discussed March 8 at the RootedCon security event by Juan Vazquez of Rapid7 and Julian Vilas of Scytl. The subject of the talk was vulnerabilities in the Yokogawa CENTUM CS3000 product.

According to an advisory from the company, a computer where the CENTUM CS 3000 integrated production control system is installed may have three vulnerabilities that cause a buffer overflow. The vulnerabilities were found in version R3.08.50, and have been patched by the company.

“These are about as critical as you can measure,” said Tod Beardsley, Engineering Manager at Rapid7. “[The researchers] have disclosed discovered vulnerabilities that can both cause a remote denial of service on the affected HIS (human interface system) component as well as a remote code execution vulnerability that would allow an attacker to run arbitrary commands on the HIS. From there, an attacker can effectively control industrial systems with the same rights as an authorized operator.”

The vulnerabilities are described below by Vazquez:

R7-2013-19.1 – BKCLogSvr.exe Heap Based Buffer Overflow: The “BKCLogSvr.exe” service, started automatically with the system, listens by default on UDP/52302. By sending a specially sequence of packets to UDP/52302 it’s possible to trigger a heap based buffer overflow, after an usage of uninitialized data, which allows to DoS the “BKCLogSvr.exe”, and on last instance, could allow execution of arbitrary code with SYSTEM privileges.

R7-2013-19.3 – BKHOdeq.exe Stack Based Buffer Overflow: The “BKHOdeq.exe” service, started when running the “FCS / Test Function” listens by default on TCP/20109, TCP/20171 and UDP/1240. By sending a specially crafted packet to the port TCP/20171 it’s possible to trigger a stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user.

R7-2013-19.4 – BKBCopyD.exe Stack Based Buffer Overflow: The Yokogawa Centum CS3000 solution uses different services in order to provide all its functionality. The “BKBCopyD.exe” service, started when running the “FCS / Test Function”, listens by default on TCP/20111. By sending a specially crafted packet to the port TCP/20111 it’s possible to trigger a stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user.

Advertisement. Scroll to continue reading.

“It’s hard to categorize the “most likely attack scenario” because it all depends on the motives of the attacker,” said Beardsley. “Attacks on SCADA systems can run the gamut of simple denial of service, to the planting of malware, to the more sophisticated and subtle attacks of introducing defects in an end product being manufactured on the factory floor, to the destruction of extremely expensive industrial equipment.”

“As far as mitigations to the attack scenarios, network controls which make arbitrary connections from the Internet impossible are the most critical first step any organization can do,” Beardsley added. “In most cases, these systems are accidentally accessible from the Internet, so a thorough audit of network segmentation and firewall rules is in order for any site that has these devices online. Of course, customers of Yokogawa are encouraged to contact Yokogawa’s sales and service representatives for any advice, mitigation strategies, or other concerns with the released patches.”

*This story has been updated to reflect that Julian Vilas works with Scytl, not esCERT. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.