yokogawa CVE Vulnerabilities & Metrics

A vulnerability of Uncontrolled Resource Consumption has been identified in STARDOM provided by Yokogawa Electric Corporation. This vulnerability may allow to a remote attacker to cause a denial-of-service condition to the FCN/FCJ controller by sending a crafted packet. While sending the packet, the maintenance homepage of the controller could not be accessed. Therefore, functions of the maintenance homepage, changing configuration, viewing logs, etc. are not available. But the controller’s operation is not stopped by the condition. The affected products and versions are as follows: STARDOM FCN/FCJ R1.01 to R4.31.

CENTUM series provided by Yokogawa Electric Corporation are vulnerable to cleartext storage of sensitive information. If an attacker who can login or access the computer where the affected product is installed tampers the password file stored in the computer, the user privilege which CENTUM managed may be escalated. As a result, the control system may be operated with the escalated user privilege. To exploit this vulnerability, the following prerequisites must be met: (1)An attacker has obtained user credentials where the affected product is installed, (2)CENTUM Authentication Mode is used for user authentication when CENTUM VP is used. The affected products and versions are as follows: CENTUM CS 1000, CENTUM CS 3000 (Including CENTUM CS 3000 Entry Class) R2.01.00 to R3.09.50, CENTUM VP (Including CENTUM VP Entry Class) R4.01.00 to R4.03.00, R5.01.00 to R5.04.20, and R6.01.00 and later, B/M9000 CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R7.04.51 and R8.01.01 and later

Stack-based buffer overflow in WTViewerE series WTViewerE 761941 from 1.31 to 1.61 and WTViewerEfree from 1.01 to 1.52 allows an attacker to cause the product to crash by processing a long file name.

CENTUM VP / CS 3000 controller FCS (CP31, CP33, CP345, CP401, and CP451) contains an issue in processing communication packets, which may lead to resource consumption. If this vulnerability is exploited, an attacker may cause a denial of service (DoS) condition in ADL communication by sending a specially crafted packet to the affected product.

Use of insufficiently random values vulnerability exists in Vnet/IP communication module VI461 of YOKOGAWA Wide Area Communication Router (WAC Router) AW810D, which may allow a remote attacker to cause denial-of-service (DoS) condition by sending a specially crafted packet.

Use of hard-coded credentials vulnerability exists in STARDOM FCN Controller and FCJ Controller R4.10 to R4.31, which may allow an attacker with an administrative privilege to read/change configuration settings or update the controller with tampered firmware.

Violation of secure design principles exists in the communication of CAMS for HIS. Affected products and versions are CENTUM series where LHS4800 is installed (CENTUM CS 3000 and CENTUM CS 3000 Small R3.08.10 to R3.09.00), CENTUM series where CAMS function is used (CENTUM VP, CENTUM VP Small, and CENTUM VP Basic R4.01.00 to R4.03.00), CENTUM series regardless of the use of CAMS function (CENTUM VP, CENTUM VP Small, and CENTUM VP Basic R5.01.00 to R5.04.20 and R6.01.00 to R6.09.00), Exaopc R3.72.00 to R3.80.00 (only if NTPF100-S6 'For CENTUM VP Support CAMS for HIS' is installed), B/M9000 CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01). If an adjacent attacker successfully compromises a computer using CAMS for HIS software, they can use credentials from the compromised machine to access data from another machine using CAMS for HIS software. This can lead to a disabling of CAMS for HIS software functions on any affected machines, or information disclosure/alteration.

Cleartext transmission of sensitive information vulnerability exists in STARDOM FCN Controller and FCJ Controller R1.01 to R4.31, which may allow an adjacent attacker to login the affected products and alter device configuration settings or tamper with device firmware.

OS command injection vulnerability exists in CENTUM VP R4.01.00 to R4.03.00, CENTUM VP Small R4.01.00 to R4.03.00, CENTUM VP Basic R4.01.00 to R4.03.00, and B/M9000 VP R6.01.01 to R6.03.02, which may allow an attacker who can access the computer where the affected product is installed to execute an arbitrary OS command by altering a file generated using Graphic Builder.

Improper authentication vulnerability in the communication protocol provided by AD (Automation Design) server of CENTUM VP R6.01.10 to R6.09.00, CENTUM VP Small R6.01.10 to R6.09.00, CENTUM VP Basic R6.01.10 to R6.09.00, and B/M9000 VP R8.01.01 to R8.03.01 allows an attacker to use the functions provided by AD server. This may lead to leakage or tampering of data managed by AD server.

The following Yokogawa Electric products hard-code the password for CAMS server applications: CENTUM VP versions from R5.01.00 to R5.04.20 and versions from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00

The following Yokogawa Electric products contain insecure DLL loading issues. CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00.

CAMS for HIS Server contained in the following Yokogawa Electric products improperly authenticate the receiving packets. The authentication may be bypassed via some crafted packets: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, and Exaopc versions from R3.72.00 to R3.79.00.

CAMS for HIS Log Server contained in the following Yokogawa Electric products fails to properly neutralize log outputs: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, and Exaopc versions from R3.72.00 to R3.79.00.

'Root Service' service implemented in the following Yokogawa Electric products creates some named pipe with improper ACL configuration. CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00.

CAMS for HIS Log Server contained in the following Yokogawa Electric products is vulnerable to uncontrolled resource consumption. CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00.

'Long-term Data Archive Package' service implemented in the following Yokogawa Electric products creates some named pipe with imporper ACL configuration. CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00.

Path traversal vulnerability exists in CAMS for HIS Server contained in the following Yokogawa Electric products: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00.

The following Yokogawa Electric products do not change the passwords of the internal Windows accounts from the initial configuration: CENTUM VP versions from R5.01.00 to R5.04.20 and versions from R6.01.00 to R6.08.0, Exaopc versions from R3.72.00 to R3.79.00.

There is a path traversal vulnerability in CAMS for HIS Log Server contained in the following Yokogawa Electric products: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, andfrom R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00.

Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to create or overwrite arbitrary files and run arbitrary commands via unspecified vectors.

CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered communication packets via unspecified vectors.

Stack-based buffer overflow in Yokogawa CENTUM CS 1000 R3.08.70 and earlier, CENTUM CS 3000 R3.09.50 and earlier, CENTUM CS 3000 Entry R3.09.50 and earlier, CENTUM VP R5.04.20 and earlier, CENTUM VP Entry R5.04.20 and earlier, ProSafe-RS R3.02.10 and earlier, Exaopc R3.72.00 and earlier, Exaquantum R2.85.00 and earlier, Exaquantum/Batch R2.50.30 and earlier, Exapilot R3.96.10 and earlier, Exaplog R3.40.00 and earlier, Exasmoc R4.03.20 and earlier, Exarqe R4.03.20 and earlier, Field Wireless Device OPC Server R2.01.02 and earlier, PRM R3.12.00 and earlier, STARDOM VDS R7.30.01 and earlier, STARDOM OPC Server for Windows R3.40 and earlier, FAST/TOOLS R10.01 and earlier, B/M9000CS R5.05.01 and earlier, B/M9000 VP R7.03.04 and earlier, and FieldMate R1.01 or R1.02 allows remote attackers to execute arbitrary code via a crafted packet.

Stack-based buffer overflow in Yokogawa CENTUM CS 1000 R3.08.70 and earlier, CENTUM CS 3000 R3.09.50 and earlier, CENTUM CS 3000 Entry R3.09.50 and earlier, CENTUM VP R5.04.20 and earlier, CENTUM VP Entry R5.04.20 and earlier, ProSafe-RS R3.02.10 and earlier, Exaopc R3.72.00 and earlier, Exaquantum R2.85.00 and earlier, Exaquantum/Batch R2.50.30 and earlier, Exapilot R3.96.10 and earlier, Exaplog R3.40.00 and earlier, Exasmoc R4.03.20 and earlier, Exarqe R4.03.20 and earlier, Field Wireless Device OPC Server R2.01.02 and earlier, PRM R3.12.00 and earlier, STARDOM VDS R7.30.01 and earlier, STARDOM OPC Server for Windows R3.40 and earlier, FAST/TOOLS R10.01 and earlier, B/M9000CS R5.05.01 and earlier, B/M9000 VP R7.03.04 and earlier, and FieldMate R1.01 or R1.02 allows remote attackers to cause a denial of service (process outage) via a crafted packet.

Stack-based buffer overflow in Yokogawa CENTUM CS 1000 R3.08.70 and earlier, CENTUM CS 3000 R3.09.50 and earlier, CENTUM CS 3000 Entry R3.09.50 and earlier, CENTUM VP R5.04.20 and earlier, CENTUM VP Entry R5.04.20 and earlier, ProSafe-RS R3.02.10 and earlier, Exaopc R3.72.00 and earlier, Exaquantum R2.85.00 and earlier, Exaquantum/Batch R2.50.30 and earlier, Exapilot R3.96.10 and earlier, Exaplog R3.40.00 and earlier, Exasmoc R4.03.20 and earlier, Exarqe R4.03.20 and earlier, Field Wireless Device OPC Server R2.01.02 and earlier, PRM R3.12.00 and earlier, STARDOM VDS R7.30.01 and earlier, STARDOM OPC Server for Windows R3.40 and earlier, FAST/TOOLS R10.01 and earlier, B/M9000CS R5.05.01 and earlier, B/M9000 VP R7.03.04 and earlier, and FieldMate R1.01 or R1.02 allows remote attackers to cause a denial of service (network-communications outage) via a crafted packet.

An unquoted search path vulnerability in Multiple Yokogawa products for Windows (Exaopc (R1.01.00 ? R3.77.00), Exaplog (R1.10.00 ? R3.40.00), Exaquantum (R1.10.00 ? R3.02.00 and R3.15.00), Exaquantum/Batch (R1.01.00 ? R2.50.40), Exasmoc (all revisions), Exarqe (all revisions), GA10 (R1.01.01 ? R3.05.01), and InsightSuiteAE (R1.01.00 ? R1.06.00)) allow local users to gain privileges via a Trojan horse executable file and execute arbitrary code with eleveted privileges.

License Manager Service of YOKOGAWA products (CENTUM VP (R5.01.00 - R6.06.00), CENTUM VP Entry Class (R5.01.00 - R6.06.00), ProSafe-RS (R3.01.00 - R4.04.00), PRM (R4.01.00 - R4.02.00), B/M9000 VP(R7.01.01 - R8.02.03)) allows remote attackers to bypass access restriction to send malicious files to the PC where License Manager Service runs via unspecified vectors.

Multiple Yokogawa products that contain Vnet/IP Open Communication Driver (CENTUM CS 3000(R3.05.00 - R3.09.50), CENTUM CS 3000 Entry Class(R3.05.00 - R3.09.50), CENTUM VP(R4.01.00 - R6.03.10), CENTUM VP Entry Class(R4.01.00 - R6.03.10), Exaopc(R3.10.00 - R3.75.00), PRM(R2.06.00 - R3.31.00), ProSafe-RS(R1.02.00 - R4.02.00), FAST/TOOLS(R9.02.00 - R10.02.00), B/M9000 VP(R6.03.01 - R8.01.90)) allows remote attackers to cause a denial of service attack that may result in stopping Vnet/IP Open Communication Driver's communication via unspecified vectors.

Buffer overflow in the license management function of YOKOGAWA products (iDefine for ProSafe-RS R1.16.3 and earlier, STARDOM VDS R7.50 and earlier, STARDOM FCN/FCJ Simulator R4.20 and earlier, ASTPLANNER R15.01 and earlier, TriFellows V5.04 and earlier) allows remote attackers to stop the license management function or execute an arbitrary program via unspecified vectors.

Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The application utilizes multiple methods of session management which could result in a denial of service to the remote management functions.

Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The web application improperly protects credentials which could allow an attacker to obtain credentials for remote access to controllers.

Yokogawa STARDOM Controllers FCJ,FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The controller application fails to prevent memory exhaustion by unauthorized requests. This could allow an attacker to cause the controller to become unstable.

Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The affected controllers utilize hard-coded credentials which may allow an attacker gain unauthorized access to the maintenance functions and obtain or modify information. This attack can be executed only during maintenance work.

Yokogawa STARDOM FCJ controllers R4.02 and prior, FCN-100 controllers R4.02 and prior, FCN-RTU controllers R4.02 and prior, and FCN-500 controllers R4.02 and prior utilize hard-coded credentials that could allow an attacker to gain unauthorized administrative access to the device, which could result in remote code execution.

A weakness in access controls in CENTUM CS 1000 all versions, CENTUM CS 3000 versions R3.09.50 and earlier, CENTUM CS 3000 Small versions R3.09.50 and earlier, CENTUM VP versions R6.03.10 and earlier, CENTUM VP Small versions R6.03.10 and earlier, CENTUM VP Basic versions R6.03.10 and earlier, Exaopc versions R3.75.00 and earlier, B/M9000 CS all versions, and B/M9000 VP versions R8.01.01 and earlier may allow a local attacker to exploit the message management function of the system. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H).

Yokogawa STARDOM FCN/FCJ controller R1.01 through R4.01 does not require authentication for Logic Designer connections, which allows remote attackers to reconfigure the device or cause a denial of service via a (1) stop application program, (2) change value, or (3) modify application command.

BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbitrary files via a STOR operation, or obtain sensitive database-location information via a PMODE operation, a different vulnerability than CVE-2014-0784.

XML external entity (XXE) vulnerability in the WebHMI server in Yokogawa Electric Corporation FAST/TOOLS before R9.05-SP2 allows local users to cause a denial of service (CPU or network traffic consumption) or read arbitrary files via unspecified vectors.

Stack-based buffer overflow in BKFSim_vhfd.exe in Yokogawa CENTUM CS 1000, CENTUM CS 3000 R3.09.50 and earlier, CENTUM VP R5.03.20 and earlier, Exaopc R3.72.00 and earlier, B/M9000CS R5.05.01 and earlier, and B/M9000 VP R7.03.01 and earlier, when FCS/Test Function is enabled, allows remote attackers to execute arbitrary code via a crafted packet.

Stack-based buffer overflow in BKESimmgr.exe in the Expanded Test Functions package in Yokogawa CENTUM CS 1000, CENTUM CS 3000 Entry Class R3.09.50 and earlier, CENTUM VP R5.03.00 and earlier, CENTUM VP Entry Class R5.03.00 and earlier, Exaopc R3.71.02 and earlier, B/M9000CS R5.05.01 and earlier, and B/M9000 VP R7.03.01 and earlier allows remote attackers to execute arbitrary code via a crafted packet.

Stack-based buffer overflow in BKBCopyD.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP packet.

Stack-based buffer overflow in BKHOdeq.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP packet.

Heap-based buffer overflow in BKCLogSvr.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via crafted UDP packets.