CVE-2022-22148 – This vulnerability in Yokogawa's 'Root Service'... (How to Fix)

Q: What is the severity of CVE-2022-22148?

CVE-2022-22148 has a CVSS score of 7.8 (HIGH). This vulnerability in Yokogawa's 'Root Service' allows attackers to exploit improperly configured named pipe ACLs, potentially enabling privilege escalation or unauthorized access. It affects CENTUM CS 3000, CENTUM VP, and Exaopc products across multiple versions. Organizations using these industrial control systems are at risk.

📋 TL;DR

This vulnerability in Yokogawa's 'Root Service' allows attackers to exploit improperly configured named pipe ACLs, potentially enabling privilege escalation or unauthorized access. It affects CENTUM CS 3000, CENTUM VP, and Exaopc products across multiple versions. Organizations using these industrial control systems are at risk.

💻 Affected Systems

Products:

CENTUM CS 3000
CENTUM VP
Exaopc

Versions: CENTUM CS 3000: R3.08.10 to R3.09.00; CENTUM VP: R4.01.00 to R4.03.00, R5.01.00 to R5.04.20, R6.01.00 to R6.08.00; Exaopc: R3.72.00 to R3.79.00

Operating Systems: Windows (typically used with these industrial systems)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the 'Root Service' component specifically; industrial control systems often run on isolated networks but remain vulnerable to internal threats.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary code with SYSTEM/root privileges, potentially disrupting industrial operations or causing physical damage.

🟠

Likely Case

Privilege escalation from a lower-privileged user to SYSTEM/root, enabling unauthorized access to sensitive industrial control system functions.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent attackers from reaching vulnerable systems.

🌐 Internet-Facing: LOW (Industrial control systems should never be directly internet-facing)

🏢 Internal Only: HIGH (Attackers with internal network access can exploit this for privilege escalation)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW (Named pipe manipulation is well-understood, but requires some access to the system)

Exploitation requires some level of initial access to the system; the vulnerability is in ACL configuration rather than a complex memory corruption issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply vendor patches: CENTUM CS 3000: R3.09.50 or later; CENTUM VP: R4.03.50, R5.04.50, R6.08.50 or later; Exaopc: R3.80.00 or later

Vendor Advisory: https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf

Restart Required: Yes

Instructions:

1. Download patches from Yokogawa support portal. 2. Apply patches according to vendor documentation. 3. Restart affected systems. 4. Verify patch installation.

🔧 Temporary Workarounds

Restrict Named Pipe Access

windows

Manually configure stricter ACLs on the vulnerable named pipes to limit access to authorized users only.

Use Windows icacls or Set-ACL PowerShell commands to modify pipe permissions

Network Segmentation

all

Isolate affected systems in dedicated network segments with strict firewall rules to limit attack surface.

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems from untrusted networks
Apply principle of least privilege to user accounts and monitor for suspicious named pipe access

🔍 How to Verify

Check if Vulnerable:

Check system version against affected ranges and verify if 'Root Service' is running with vulnerable named pipe configurations.

Check Version:

Check product documentation for version verification commands specific to each Yokogawa product

Verify Fix Applied:

Verify patch version is installed and test named pipe ACLs to ensure proper permissions are set.

📡 Detection & Monitoring

Log Indicators:

Unusual named pipe creation or access attempts in Windows event logs
Failed privilege escalation attempts

Network Indicators:

Unexpected connections to industrial control system services
Anomalous traffic patterns to/from affected systems

SIEM Query:

EventID=4656 OR EventID=4663 with object name containing pipe paths related to Yokogawa services

📊 Metadata

CVE ID: CVE-2022-22148

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

Published: March 11, 2022

Last Updated: November 21, 2024

🔗 References

https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf Vendor Advisory
https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22148, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Centum Cs 3000 Entry Firmware by Yokogawa

Centum Cs 3000 Firmware by Yokogawa

Centum Vp Entry Firmware by Yokogawa

Centum Vp Entry Firmware by Yokogawa

Centum Vp Entry Firmware by Yokogawa

Centum Vp Firmware by Yokogawa

Centum Vp Firmware by Yokogawa

Centum Vp Firmware by Yokogawa

Exaopc by Yokogawa

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Named Pipe Access

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities