CVE-2020-5608
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to bypass authentication and send manipulated communication packets to Yokogawa industrial control systems. Affected systems include CENTUM CS 3000, CENTUM VP, B/M9000CS, and B/M9000 VP across multiple versions. This affects industrial environments using these control systems.
💻 Affected Systems
- CENTUM CS 3000
- CENTUM CS 3000 Small
- CENTUM VP
- CENTUM VP Small
- CENTUM VP Basic
- B/M9000CS
- B/M9000 VP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to manipulate industrial processes, cause physical damage, disrupt operations, or exfiltrate sensitive industrial data.
Likely Case
Unauthorized access to control systems allowing manipulation of process variables, configuration changes, or denial of service to critical industrial operations.
If Mitigated
Limited impact if systems are isolated in air-gapped networks with strict access controls, though authentication bypass remains possible within the network.
🎯 Exploit Status
The vulnerability allows unauthenticated remote exploitation via unspecified vectors, suggesting relatively straightforward exploitation once understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply security updates: CENTUM CS 3000: R3.09.60 or later; CENTUM VP: R6.08.00 or later; B/M9000CS: R5.06.00 or later; B/M9000 VP: R8.04.00 or later
Vendor Advisory: https://web-material3.yokogawa.com/1/29820/files/YSAR-20-0001-E.pdf
Restart Required: Yes
Instructions:
1. Download security updates from Yokogawa support portal. 2. Apply updates according to vendor documentation. 3. Restart affected systems. 4. Verify patch installation.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected systems in dedicated industrial control network segments with strict firewall rules.
Access Control Lists
allImplement strict network ACLs to limit communication to only authorized systems and ports.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from untrusted networks
- Deploy intrusion detection systems monitoring for anomalous communication patterns
🔍 How to Verify
Check if Vulnerable:
Check system version against affected ranges in vendor advisory. Verify CAMS for HIS component is installed.Check Version:
Check version through Yokogawa system management interface or consult system documentation for version verification commands.Verify Fix Applied:
Confirm system version is updated to patched versions listed in vendor advisory. Verify no authentication bypass occurs during testing.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful unauthorized access
- Unusual communication patterns from unauthenticated sources
- Configuration changes from unexpected sources
Network Indicators:
- Unauthenticated communication packets to control system ports
- Altered packet structures in control system communications
- Traffic from unauthorized IP addresses to control systems
SIEM Query:
source_ip NOT IN authorized_list AND destination_port IN [control_system_ports] AND protocol=tcp