CVE-2022-22141
📋 TL;DR
This vulnerability in Yokogawa's Long-term Data Archive Package service creates named pipes with improper access control lists (ACLs), allowing unauthorized users to potentially read, write, or delete data. It affects CENTUM CS 3000, CENTUM VP, and Exaopc industrial control systems from specific version ranges.
💻 Affected Systems
- CENTUM CS 3000
- CENTUM VP
- Exaopc
📦 What is this software?
Exaopc by Yokogawa
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could read sensitive industrial process data, modify or delete archived data, or potentially execute arbitrary code through named pipe manipulation, leading to operational disruption or safety incidents.
Likely Case
Unauthorized users within the same network could access archived industrial data they shouldn't have permissions to view, potentially exposing sensitive operational information.
If Mitigated
With proper network segmentation and access controls, impact is limited to authorized users who might gain unintended data access beyond their normal permissions.
🎯 Exploit Status
Requires network access to affected systems and knowledge of named pipe manipulation. No public exploit code available as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply security patches from Yokogawa. Specific versions: CENTUM CS 3000: R3.09.01+, CENTUM VP: R4.03.01+, R5.04.30+, R6.08.01+, Exaopc: R3.79.01+
Vendor Advisory: https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf
Restart Required: Yes
Instructions:
1. Download security patch from Yokogawa support portal. 2. Apply patch following Yokogawa's installation instructions. 3. Restart affected services/systems. 4. Verify patch application through version checking.
🔧 Temporary Workarounds
Disable Long-term Data Archive Service
windowsTemporarily disable the vulnerable service if not required for operations
sc stop "Yokogawa Long-term Data Archive"
sc config "Yokogawa Long-term Data Archive" start= disabled
Restrict Named Pipe Access
windowsManually adjust ACLs on vulnerable named pipes
icacls "\\.\pipe\YokogawaLTDAPipe*" /deny Everyone:(R,W)
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from unauthorized users
- Apply principle of least privilege to user accounts accessing affected systems
🔍 How to Verify
Check if Vulnerable:
Check if Long-term Data Archive service is running and system version falls within affected ranges. Use: sc query "Yokogawa Long-term Data Archive"Check Version:
Check Yokogawa system information through control panel or product-specific version commandsVerify Fix Applied:
Verify service version is patched (R3.09.01+, R4.03.01+, R5.04.30+, R6.08.01+, R3.79.01+) and check named pipe permissions📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Yokogawa named pipes
- Service start/stop events for Long-term Data Archive service
- Permission modification events on named pipes
Network Indicators:
- Unexpected connections to Yokogawa service ports
- Named pipe enumeration attempts from unauthorized hosts
SIEM Query:
EventID=4688 AND ProcessName LIKE '%Yokogawa%' AND CommandLine LIKE '%pipe%' OR EventID=5145 AND ObjectName LIKE '%Yokogawa%pipe%'