The CENTUM CS 3000 R3, which is sold by Yokogawa Electric, has about 7,600 deployments for plant operation and monitoring in Europe, the US and Asia, including for power plants, chemical facilities and petrochemical plants. Rapid7 has uncovered overflow vulnerabilities in the Japanese Windows-based production control system which, if exploited, could allow execution of arbitrary code with user and system privileges. Hackers could also take screenshots to gather information about running projects or hijack SCADA communications.
In a technical analysis, the firm detailed three vulnerabilities found in different services used by the Yokogawa CENTUM CS3000 product in order to provide all its functionality. The vulnerabilities have been found in the version R3.08.50.
The first, R7-2013-19.1, is a BKCLogSvr.exe heap-based buffer overflow problem. The BKCLogSvr.exe service is started automatically with the system, and it listens by default on UDP/52302. By sending a specially sequence of packets to UDP/52302 it’s possible to trigger a heap-based buffer overflow, after an usage of uninitialized data, which allows a denial of service attack and potentially the execution of arbitrary code with system privileges.
R7-2013-19.3 and R7-2013-19.4 are both stack-based buffer overflow flaw. The former concerns BKHOdeq.exe, an application that starts automatically and listens by default on TCP/20109, TCP/20171 and UDP/1240. The second concerns BKBCopyD.exe, which listens by default on TCP/20111. Malicious actors can send specially crafted packets to port TCP/20171 in the first instance and to TCP/20111 in the latter, thus triggering a stack based buffer overflow to allow the execution of arbitrary code with the privileges of the CENTUM user.
Rapid7's security experts warn that the vulnerabilities could affect any organization running CENTUM CS3000 engineering projects. They recommend upgrading the software, and protecting access to engineering projects by making sure they can only be accessed remotely through VPN or gateway products.
Yokogawa was alerted to the vulnerabilities in December 2013, and has started to publish patches.