More than 7,600 different power, chemical and petrochemical plants may still be vulnerable to a handful of SCADA vulnerabilities made public this week.
A researcher at Rapid 7, the Boston-based firm responsible for the popular pen testing software Metasploit, and an independent security researcher discovered the bugs in Yokogawa Electric’s CENTUM CS3000 R3 product. The Windows-based software is a little dated at this point, having first been introduced in 1998 but is primarily used by infrastructure in power plants, airports and chemical plants across Europe and Asia.
Juan Vazquez, with Rapid 7 and security researcher Julian Vilas Diaz discovered the bugs. The two initially discussed their findings in a co-authored talk “Kicking SCADA Around” last weekend at the RootedCON conference in Madrid, Spain before technical details about the bugs were eventually published in a blog post on Monday.
The vulnerabilities, three in total, are essentially just a series of buffer overflows, heap based and stack based, that could open the software up to attack. All of them affect computers where CENTUM CS 3000, software that helps operate and monitor industrial control systems, is installed.
With the first one, an attacker could send a specially crafted sequence of packets to BKCLogSvr.exe and trigger a heap based buffer overflow, which in turn could cause a DoS and allow the execution of arbitrary code with system privileges.
The second would involve a similar situation, a special packet could be sent to BKHOdeq.exe and cause a stack based buffer overflow, allowing “execution of arbitrary code with the privileges of the CENTUM user.”
Lastly, another stack based buffer overflow, this involving the BKBCopyD.exe service, could allow the execution of arbitrary code, as well.
Rapid 7 first disclosed the vulnerabilities to Japanese electrical engineering firm back in December before they were acknowledged by CERT/CC. The company published an advisory on the vulnerabilities (.PDF) last Friday, a day before Vazquez and Vilas presented them, and three days before they were publicly disclosed via Rapid 7’s blog.
Yokogawa recommends those running CENTUM CS 300 update to the latest version of the software (R3.09.50) and patching it to resolve the vulnerabilities.