ICS-CERT Publishes Yokogawa Advisory

Late this afternoon the DHS ICS-CERT published an advisory for multiple buffer overflow vulnerabilities in the Yokogawa CENTUM CS 3000 application. The vulnerabilities were reported by Juan Vazquez of Rapid7 Inc and Julian Vilas Diaz in a coordinated disclosure. In a tadbit different move for a coordinated disclosure, Rapid7 has published a Metasploit module for each of the three vulnerabilities. Yokogawa has produced a patch to mitigate the vulnerabilities, but there is no indication that anyone has independently verified the efficacy of the patch.

ICS-CERT notes that three different buffer overflow vulnerabilities are involved. They include:

• Heap-based buffer overflow, BKCLogSvr.exe service, CVE-2014-0781, Metasploit;

• Stack-based buffer overflow, BKHOdeq.exe service, CVE-2014-0783, Metasploit; and

• Stack-based buffer overflow, BKBCopyD.exe service, CVE-2014-0784, Metasploit.

NOTE: These CVE links will not be active for a couple of days.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the proof-of-concept code to execute arbitrary code. Yokogawa reports that they are still investigating whether or not other systems have the same vulnerabilities.

Yokogawa reported these vulnerabilities on Friday and Rapid7 published their Metasploit modules on Monday. According to the Rapd7 Disclosure Policy, they would have notified Carnegie Mellon CERT (CERT/CC) of this vulnerability on about January 25^th and Yokogawa on about January 10^th. According to ICS-CERT Japan CERT (JPCERT) was also involved in the coordination process.