Japanese automation giant Yokogawa recently patched a series of vulnerabilities in control system products that, according to researchers, can be exploited for the disruption or manipulation of physical processes.
Researchers from industrial cybersecurity company Dragos have discovered a total of ten vulnerabilities in Yokogawa’s CENTUM VP distributed control system (DCS) and the Exaopc OPC server for CENTUM systems.
Yokogawa shared information about the security holes in January and February, and the US Cybersecurity and Infrastructure Security Agency (CISA) published its own advisory in late March.
The vulnerabilities are related to hardcoded credentials, path traversal, command injection, DLL hijacking, inappropriate access privileges, and uncontrolled resource consumption. The flaws, several of which have been assigned a “high severity” rating, can be exploited to access data, suppress alarms, overwrite or delete files, execute arbitrary commands, crash servers, and escalate privileges.
Exploitation of some vulnerabilities requires local access to the targeted system, while others can be exploited by sending specially crafted packets to the Consolidated Alarm Management Software (CAMS) for the human interface station (HIS or HMI).
“Most likely, the adversary would need access to the LAN for successful exploitation,” Sam Hanson, vulnerability specialist in Dragos’ Threat Operations Center, told SecurityWeek. “However, if the HIS is somehow internet-facing then exploitation from the internet is possible.”
Hanson said Dragos has no evidence of exploitation in the wild. However, in a real world attack, an attacker could exploit the vulnerabilities to take control of the HIS or render it useless by causing a DoS condition.
“An adversary could use these issues to affect a loss of control and loss of view. Depending on the configuration, the adversary could manipulate physical process controls,” Hanson said.
Learn more about vulnerabilities in industrial systems security at SecurityWeek’s ICS Cyber Security Conference
Yokogawa has released patches and mitigations for affected products. However, CENTUM CS 3000 products, which have reached end of support, will not receive updates and customers have been advised to update to CENTUM VP. Additional information from the vendor is available in its advisory.
“CENTUM VP has been targeted in the past by security researchers. HIS operations involve many file system interactions and therefore there are plenty of places for bugs (such as directory traversals) to appear,” Hanson explained. “While security has improved over time, Dragos expects more of this type of issue to surface until Yokogawa can find a way to mitigate these issues en masse (through file system permissions, sandboxing, or utilizing a common DLL for file access, etc.).”
Dragos reported in February that 1,703 ICS/OT vulnerabilities were assigned a CVE identifier in 2021, more than twice as many as in the previous year. More than two-thirds of the flaws analyzed by the company affected systems located deep within the industrial network.
Related: Severe Flaws Found in Yokogawa Switches, Control Systems