CVE-2022-21177 – This path traversal vulnerability in Yokogawa's... (How to Fix)

Q: What is the severity of CVE-2022-21177?

CVE-2022-21177 has a CVSS score of 8.1 (HIGH). This path traversal vulnerability in Yokogawa's CAMS for HIS Log Server allows attackers to access arbitrary files on affected systems. It affects industrial control systems including CENTUM CS 3000, CENTUM VP, and Exaopc products. Attackers can potentially read sensitive system files through directory traversal techniques.

📋 TL;DR

This path traversal vulnerability in Yokogawa's CAMS for HIS Log Server allows attackers to access arbitrary files on affected systems. It affects industrial control systems including CENTUM CS 3000, CENTUM VP, and Exaopc products. Attackers can potentially read sensitive system files through directory traversal techniques.

💻 Affected Systems

Products:

CENTUM CS 3000
CENTUM VP
Exaopc

Versions: CENTUM CS 3000: R3.08.10 to R3.09.00; CENTUM VP: R4.01.00 to R4.03.00, R5.01.00 to R5.04.20, R6.01.00 to R6.08.00; Exaopc: R3.72.00 to R3.79.00

Operating Systems: Windows (typically used for Yokogawa industrial systems)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects CAMS for HIS Log Server component specifically. Industrial control systems often run on isolated networks but may be vulnerable if network boundaries are breached.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through reading of sensitive configuration files, credentials, or system files leading to industrial process disruption or data exfiltration.

🟠

Likely Case

Unauthorized access to log files, configuration data, and potentially sensitive operational information from the industrial control system.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external access to vulnerable services.

🌐 Internet-Facing: MEDIUM - While industrial control systems shouldn't be internet-facing, misconfigurations could expose them. The vulnerability requires network access to the service.

🏢 Internal Only: HIGH - If attackers gain internal network access, they can exploit this to gather intelligence about the industrial control system for further attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Path traversal vulnerabilities typically have low exploitation complexity. No public exploit code was found at time of analysis, but the vulnerability type is well-understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches as specified in Yokogawa security advisory YSAR-22-0001-E

Vendor Advisory: https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf

Restart Required: Yes

Instructions:

1. Review Yokogawa security advisory YSAR-22-0001-E. 2. Apply vendor-provided patches for your specific product version. 3. Restart affected services/systems. 4. Verify patch application through version checking.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected systems from untrusted networks and implement strict firewall rules

Access Control

all

Restrict network access to CAMS for HIS Log Server to only authorized systems and users

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected systems from untrusted networks
Deploy application firewalls or WAFs with path traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Check product version against affected ranges and verify CAMS for HIS Log Server component is installed

Check Version:

Check through Yokogawa system management tools or product documentation for version information

Verify Fix Applied:

Verify version is outside affected ranges after patch application and test path traversal attempts are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in CAMS logs
Multiple failed path traversal attempts
Access to files outside expected directories

Network Indicators:

HTTP requests with '../' sequences or other path traversal patterns to CAMS service

SIEM Query:

source="cams_logs" AND (uri="*../*" OR uri="*..\\*" OR uri="*%2e%2e%2f*")

📊 Metadata

CVE ID: CVE-2022-21177

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-23

Published: March 11, 2022

Last Updated: November 21, 2024

🔗 References

https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf Vendor Advisory
https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21177, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Centum Cs 3000 Entry Firmware by Yokogawa

Centum Cs 3000 Firmware by Yokogawa

Centum Vp Entry Firmware by Yokogawa

Centum Vp Entry Firmware by Yokogawa

Centum Vp Entry Firmware by Yokogawa

Centum Vp Firmware by Yokogawa

Centum Vp Firmware by Yokogawa

Centum Vp Firmware by Yokogawa

Exaopc by Yokogawa

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Access Control

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities