This afternoon the DHS ICS-CERT published an advisory for an authentication vulnerability in the Yokogawa Centum 3000 series. The vulnerability was initially reported by Tod Beardsley of Rapid7 in a semi-coordinated disclosure. It was initially disclosed to Yokogawa (May 1st according to Rapid 7), CERTS (June 25th; presumably Japan-CERT and ICS-CERT?). The semi comes from the publication of a Metasploit module on August 9th and a Defcon presentation at about the same time. No word why ICS-CERT did not produce an alert at that point particularly since it appears that Yokogawa probably had interim mitigation measures available at that time. It could be that Yokogawa, not ICS-CERT was responsible for that decision.
NOTE: The ICS-CERT advisory gives co-discovery credit to Jim Denaro of CipherLaw. According to the Rapid 7 post about this vulnerability it sounds like Denaro was providing legal advice, not technical involvement in discovering the vulnerability.
ICS-CERT reports that a relatively unskilled attacker could use the publicly available exploit to remotely leak the CENTUM project database location, read and write arbitrary files,
Yokogawa expects to publish patches for the affected projects by the end of this month. The Advisory provides information on interim mitigation strategies.
There is an interesting comment in the Yokogawa report on this vulnerability (pg 2) that did not make it into the ICS-CERT advisory:
“When Yokogawa service personnel perform updating the revision and application the software patch, those charges are borne by the customer.”
I’m hoping that it lost something in translation, but it sure sounds like if Yokogawa has to send out a rep to install their patches, the system owner is going to pay for that service.