Today the DHS ICS-CERT updated a Yokogawa advisory from last month and issued a new advisory for other Yokogawa products. The new advisory is the result of a self-disclosure from Yokogawa based upon research being conducted in support of fixing the earlier advisory. This is the type of pro-active vendor action that industry should demand from vendors; particularly when the equipment is used in critical infrastructure facilities.
This update addresses new information developed during response to the original advisory published last month. This new information includes:
• Removing one of the ports that the original reports indicated was being monitored by CENTUM’s BKHOdeq.exe service;
• Adding a new stack based buffer overflow vulnerability; and
• Reporting an even newer set of patches to deal with the identified vulnerabilities.
This new advisory is based, in part, on the vulnerabilities reported earlier by Juan Vazquez of Rapid7 Inc. There is a lengthy list of Yokogawa products to which the new advisory applies. There are currently three stack based buffer overflow vulnerabilities and a heap based buffer over flow vulnerability described in this advisory:
• Heap based overflow for “BKCLogSvr.exe service, CVE-2014-0781 (Operation Logging Process);
• Stack based overflow for “BKESimmgr.exe” service, CVE-2014-0782 (Project Equalization Process);
• Stack based overflow for “BKHOdeq.exe” service, CVE-2014-0783 (Batch Management Process); and
• Stack based overflow for “BKBCopyD.exe” service, CVE-2014-0784 (Simulator Management Process in the Expanded Test Functions).
These are the same services and CVE numbers listed in the previous advisory, just now extended to the new line of products. The descriptions above listed in parenthesis come from Yokogawa’s advisory that covers both of the ICS-CERT advisories being reported in this post.