Vulnerabilities in production control system software used in manufacturing, energy and other critical industries worldwide have been patched by the vendor, an advisory from the Industrial Control System Cyber Emergency Response Team said.
Yokogawa Electric Corp., of Japan patched critical buffer overflow flaws in its CENTUM and Exaopac production control system software this week. The vulnerabilities, discovered by Rapid7 engineers, could allow an attacker to remotely exploit a vulnerable system and execute code.
Rapid7 engineer Juan Vazquez said the vulnerability is present on systems when its Expanded Test Functions are in use.
“By sending a specially crafted packet to the port UDP/20010 it’s possible to trigger a stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user,” Vazquez said.
Vazquez and colleague Julian Vilas Diaz discussed this and other vulnerabilities in the CENTUM software in a talk in March at RootedCon. A Metapsloit module for this vulnerability has been available since May 7.
“The vulnerable function assembles log lines using a defined list of pre-formatted strings (format strings), and user controlled (tainted) data (in some cases),” Vazquez wrote in a report on the bugs. “But it uses dangerous functions and static size stack buffers in order to do it, being the size of the buffers no longer enough for storing logs created with malicious user-controlled data.”
- CENTUM CS 1000 all revisions,
- CENTUM CS 3000 R3.09.50 or earlier,
- CENTUM CS 3000 Entry Class R3.09.50 or earlier,
- CENTUM VP R5.03.20 or earlier,
- CENTUM VP Entry Class R5.03.20 or earlier,
- Exaopc R3.72.00 or earlier,
- B/M9000CS R5.05.01 or earlier, and
- B/M9000 VP R7.03.01 or earlier.
This is the final CENTUM bug discovered by Vazquez and Diaz; the last set disclosed in May was quickly patched after public exploits were available for a different buffer overflow vulnerability.
Vazquez and Diaz said that a working exploit was developed for version R3.09.50 running on Windows XP SP3 and Windows Server 2003, a data execution prevention (DEP) bypass that would allow an attacker to remotely execute code. The issue, they said, is in the BKESimmgr.exe service, which listens on TCP port 34205.
“By sending a specially crafted packet to the port TCP/34205, it’s possible to trigger a stack-based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user,” Vazquez and Diaz said in May.
Successful exploits, ICS-CERT said at the time, could result in a denial-of-service attack, or enable remote code execution.