Buffer Overflows Patched in Yokogawa Control System Products

Patches are available for buffer overflow bugs in Yokogawa production control software. Public exploits are available for the vulnerabilities, as well as a Metasploit module.

Patches for critical vulnerabilities in production control system software built by Yokogawa Electric Corp. of Japan are available, according to an advisory issued Tuesday by the Industrial Control System Cyber Emergency Response Team (ICS-CERT).

The advisory warns that there are publicly available exploits targeting these vulnerabilities, and a Metasploit module for the bugs was recently released.

Yesterday’s alert is an update to a previous advisory issued in March warning of buffer overflow vulnerabilities in the software. Yokogawa said this prompted a deeper examination of its products and additional security issues were discovered, the company said.

In March, Rapid7 engineers Juan Vazquez and Julian Vilas Diaz disclosed three vulnerabilities in the Yokogawa Centum CS3000 Windows-based production control system. The Centum CS line is deployed in numerous critical industries such as oil refinery, iron and steel manufacturing, as well as public utilities and other manufacturing uses.

Vazquez and Diaz said that a working exploit was developed for version R3.09.50 running on Windows XP SP3 and Windows Server 2003, a data execution prevention (DEP) bypass that would allow an attacker to remotely execute code. The issue, they said, is in the BKESimmgr.exe service, which listens on TCP port 34205.

“By sending a specially crafted packet to the port TCP/34205, it’s possible to trigger a stack-based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user,” Vazquez and Diaz wrote on the Rapid7/Metasploit website.

In all, there are four vulnerabilities affecting a slew of Yokogawa products:

  • CENTUM CS 1000 all revisions,
  • CENTUM CS 3000 Entry Class R3.09.50 and earlier,
  • CENTUM VP R5.03.00 and earlier,
  • CENTUM VP Entry Class R5.03.00 and earlier,
  • Exaopc R3.71.02 and earlier,
  • B/M9000CS R5.05.01 and earlier, and
  • B/M9000 VP R7.03.01 and earlier

“Successful exploitation of these vulnerabilities could allow an attacker to perform a denial of service (DoS) or potentially acquire system privileges to execute arbitrary code,” ICS-CERT said in its alert. “Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.”

All of the bugs are buffer overflows, Yokogawa said.

The first is a heap-based buffer overflow in the BKCLogSvr.exe service. An attacker can send malicious packets to the service on UDP Port 52302, triggering the heap-based overflow that would allow an attacker to crash the system and also execute code remotely.

The remaining bugs are stack-based buffer overflows, all of which allow an attacker to run code on the production control system.

The first affects the BKHOdeq.exe service which starts when the system’s FCS/Test Function runs; malicious packets sent to TCP Port 20171 would trigger the vulnerability.

Similarly, the BKBCopyD.exe service, which also starts on the same function, but listens on TCP Port 20111, is also vulnerable to attack.

Suggested articles