Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Yokogawa Patches Flaws Allowing Disruption, Manipulation of Physical Processes

Japanese automation giant Yokogawa recently patched a series of vulnerabilities in control system products that, according to researchers, can be exploited for the disruption or manipulation of physical processes.

Japanese automation giant Yokogawa recently patched a series of vulnerabilities in control system products that, according to researchers, can be exploited for the disruption or manipulation of physical processes.

Researchers from industrial cybersecurity company Dragos have discovered a total of ten vulnerabilities in Yokogawa’s CENTUM VP distributed control system (DCS) and the Exaopc OPC server for CENTUM systems.

Yokogawa shared information about the security holes in January and February, and the US Cybersecurity and Infrastructure Security Agency (CISA) published its own advisory in late March.

The vulnerabilities are related to hardcoded credentials, path traversal, command injection, DLL hijacking, inappropriate access privileges, and uncontrolled resource consumption. The flaws, several of which have been assigned a “high severity” rating, can be exploited to access data, suppress alarms, overwrite or delete files, execute arbitrary commands, crash servers, and escalate privileges.

Exploitation of some vulnerabilities requires local access to the targeted system, while others can be exploited by sending specially crafted packets to the Consolidated Alarm Management Software (CAMS) for the human interface station (HIS or HMI).

“Most likely, the adversary would need access to the LAN for successful exploitation,” Sam Hanson, vulnerability specialist in Dragos’ Threat Operations Center, told SecurityWeek. “However, if the HIS is somehow internet-facing then exploitation from the internet is possible.”

Hanson said Dragos has no evidence of exploitation in the wild. However, in a real world attack, an attacker could exploit the vulnerabilities to take control of the HIS or render it useless by causing a DoS condition.

“An adversary could use these issues to affect a loss of control and loss of view. Depending on the configuration, the adversary could manipulate physical process controls,” Hanson said.

Advertisement. Scroll to continue reading.

Learn more about vulnerabilities in industrial systems security at SecurityWeek’s ICS Cyber Security Conference 

Yokogawa has released patches and mitigations for affected products. However, CENTUM CS 3000 products, which have reached end of support, will not receive updates and customers have been advised to update to CENTUM VP. Additional information from the vendor is available in its advisory.

“CENTUM VP has been targeted in the past by security researchers. HIS operations involve many file system interactions and therefore there are plenty of places for bugs (such as directory traversals) to appear,” Hanson explained. “While security has improved over time, Dragos expects more of this type of issue to surface until Yokogawa can find a way to mitigate these issues en masse (through file system permissions, sandboxing, or utilizing a common DLL for file access, etc.).”

Dragos reported in February that 1,703 ICS/OT vulnerabilities were assigned a CVE identifier in 2021, more than twice as many as in the previous year. More than two-thirds of the flaws analyzed by the company affected systems located deep within the industrial network.

Related: Severe Flaws Found in Yokogawa Switches, Control Systems

Related: Serious DoS Flaw Impacts Several Yokogawa Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.