-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Advisory (icsa-22-083-01) Yokogawa CENTUM and Exaopc
25 March 2022
AusCERT Security Bulletin Summary
Product: Yokogawa CENTUM and Exaopc
Operating System: Windows
CVE Names: CVE-2022-23402 CVE-2022-23401 CVE-2022-22729
CVE-2022-22151 CVE-2022-22148 CVE-2022-22145
CVE-2022-22141 CVE-2022-21808 CVE-2022-21194
Comment: CVSS (Max): 8.6 CVE-2022-22148 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVSS Source: ICS-CERT
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-083-01)
Yokogawa CENTUM and Exaopc
Original release date: March 24, 2022
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 8.6
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Yokogawa
o Equipment: CENTUM and Exaopc
o Vulnerabilities: Use of Hard-coded Credentials, Relative Path Traversal,
Improper Output Neutralization for Logs, OS Command Injection, Permissions,
Privileges, and Access Controls, Uncontrolled Search Path Element
2. RISK EVALUATION
Successful exploitation of these vulnerabilities in CAMS server functions can
be abused to suppress alarms, read or write files, crash the server, or execute
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Yokogawa reports these vulnerabilities affect the following distributed control
system and software products:
o CENTUM CS 3000 (Including CENTUM CS 3000 Entry Class): R3.08.10 - R3.09.00
o CENTUM VP (Including CENTUM VP Entry Class):
R4.01.00 - R4.03.00
R5.01.00 - R5.04.20
R6.01.00 - R6.08.00
o Exaopc: (R3.72.00 - R3.79.00)
Yokogawa reports the following products are not directly affected by the
vulnerabilities, but may be indirectly affected by the existence of CENTUM
installed on the same PC:
o B/M9000CS: (R5.04.01 - R5.05.01)
o B/M9000 VP: (R6.01.01 - R8.03.01)
Usage of the CAMS function may determine whether an installation is affected.
Please see Yokogawa's full report ( YSAR-22-0001 ) for details.
3.2 VULNERABILITY OVERVIEW
3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798
If the password for the OS account created when installing the product has not
been changed from the default password and the hard-coded credentials (default
password) for the account are used, an attacker could access files and shared
memory in the system. The product is not affected by this vulnerability if the
default password has been properly changed after installation.
CVE-2022-21194 has been assigned to this vulnerability. A CVSS v3 base score of
7.1 has been calculated; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:U/
3.2.2 USE OF HARD-CODED CREDENTIALS CWE-798
If the hard-coded credentials for CAMS server application are used to send a
malformed packet to CAMS server, all functions of CAMS server can be abused,
including suppressing alarms.
CVE-2022-23402 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:R/S:C/
3.2.3 RELATIVE PATH TRAVERSAL CWE-23
A malformed packet sent to a CAMS for HIS server may allow an attacker to
achieve relative path traversal and then read and write files or execute
CVE-2022-21808 and CVE-2022-22729 have been assigned to these vulnerabilities.
A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (
3.2.4 IMPROPER OUTPUT NEUTRALIZATION FOR LOGS CWE-117
A malformed packet sent to a CAMS for HIS server may exploit an output
neutralization vulnerability, allowing an attacker to crash the server or
manipulate log files.
CVE-2022-22151 , CVE-2022-21177 . and CVE-2022-22145 have been assigned to
these vulnerabilities. A CVSS v3 base score of 5.9 has been calculated; the
CVSS vector string is ( AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H ).
3.2.5 OS COMMAND INJECTION CWE-78
A local attacker may be able to utilize a named pipe with inappropriate access
privileges to execute arbitrary programs.
CVE-2022-22148 has been assigned to this vulnerability. A CVSS v3 base score of
8.6 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:C/
3.2.6 PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS CWE-264
A local attacker may be able to utilize a named pipe with inappropriate access
privileges to delete arbitrary files.
CVE-2022-22141 has been assigned to this vulnerability. A CVSS v3 base score of
6.6 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
3.2.7 UNCONTROLLED SEARCH PATH ELEMENT CWE-427
CENTUM and Exaopc have a DLL injection vulnerability and a DLL planting
vulnerability using the DLL search order vulnerability. See this link for
further details on this exploit type.
CVE-2022-23401 has been assigned to this vulnerability. A CVSS v3 base score of
8.3 has been calculated; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:C/
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Food and
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Japan
Jacob Baines from Dragos reported these vulnerabilities to Yokogawa.
Yokogawa recommends updating the following products:
o CENTUM VP: update to R6.09.00 or later
o Exaopc: update to R3.80.00 or later
o CENTUM CS 3000: consider system upgrade to the latest revision of CENTUM VP
The method of obtaining and updating patch software depends on the support
contract of each installation. Users who do not know how to obtain the update
and install it should contact their service/sales person.
Please see Yokogawa's full report ( YSAR-22-0001 ) for update details.
For questions related to this report, please contact Yokogawa security .
Yokogawa also recommends the following countermeasures:
o Follow the installation instructions for each product and change the
password of the OS account created when installing the product to an
o The initial password is set by default for the predefined user accounts in
CENTUM VP and Exaopc. Be sure to change the initial password.
o When changing the password, ensure that the same password is set in the
o For more information about lists of the predefined user accounts in CENTUM
VP and how to change the password for a user account, refer to: "CENTUM VP
Yokogawa strongly recommends users establish and maintain a full security
program. Security program components include patch updates, anti-virus, backup
and recovery, zoning, hardening, whitelisting, firewalls, etc.
Yokogawa can assist in setting up and running security programs. For
considering the most effective risk mitigation plan, as a starting point,
Yokogawa can perform a security risk assessment.
For questions related to this report, please contact Yokogawa .
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. CISA reminds organizations to perform
proper impact analysis and risk assessment prior to deploying defensive
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----