Two security researchers uncovered vulnerabilities affecting a SCADA product that can be potentially used to compromise operations at critical infrastructure companies.
The findings were discussed March 8 at the RootedCon security event by Juan Vazquez of Rapid7 and Julian Vilas of Scytl. The subject of the talk was vulnerabilities in the Yokogawa CENTUM CS3000 product.
According to an advisory from the company, a computer where the CENTUM CS 3000 integrated production control system is installed may have three vulnerabilities that cause a buffer overflow. The vulnerabilities were found in version R3.08.50, and have been patched by the company.
“These are about as critical as you can measure,” said Tod Beardsley, Engineering Manager at Rapid7. “[The researchers] have disclosed discovered vulnerabilities that can both cause a remote denial of service on the affected HIS (human interface system) component as well as a remote code execution vulnerability that would allow an attacker to run arbitrary commands on the HIS. From there, an attacker can effectively control industrial systems with the same rights as an authorized operator.”
The vulnerabilities are described below by Vazquez:
• R7-2013-19.1 – BKCLogSvr.exe Heap Based Buffer Overflow: The “BKCLogSvr.exe” service, started automatically with the system, listens by default on UDP/52302. By sending a specially sequence of packets to UDP/52302 it’s possible to trigger a heap based buffer overflow, after an usage of uninitialized data, which allows to DoS the “BKCLogSvr.exe”, and on last instance, could allow execution of arbitrary code with SYSTEM privileges.
• R7-2013-19.3 – BKHOdeq.exe Stack Based Buffer Overflow: The “BKHOdeq.exe” service, started when running the “FCS / Test Function” listens by default on TCP/20109, TCP/20171 and UDP/1240. By sending a specially crafted packet to the port TCP/20171 it’s possible to trigger a stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user.
• R7-2013-19.4 – BKBCopyD.exe Stack Based Buffer Overflow: The Yokogawa Centum CS3000 solution uses different services in order to provide all its functionality. The “BKBCopyD.exe” service, started when running the “FCS / Test Function”, listens by default on TCP/20111. By sending a specially crafted packet to the port TCP/20111 it’s possible to trigger a stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user.
“It’s hard to categorize the “most likely attack scenario” because it all depends on the motives of the attacker,” said Beardsley. “Attacks on SCADA systems can run the gamut of simple denial of service, to the planting of malware, to the more sophisticated and subtle attacks of introducing defects in an end product being manufactured on the factory floor, to the destruction of extremely expensive industrial equipment.”
“As far as mitigations to the attack scenarios, network controls which make arbitrary connections from the Internet impossible are the most critical first step any organization can do,” Beardsley added. “In most cases, these systems are accidentally accessible from the Internet, so a thorough audit of network segmentation and firewall rules is in order for any site that has these devices online. Of course, customers of Yokogawa are encouraged to contact Yokogawa’s sales and service representatives for any advice, mitigation strategies, or other concerns with the released patches.”
*This story has been updated to reflect that Julian Vilas works with Scytl, not esCERT.
