CVE-2022-22729
📋 TL;DR
CVE-2022-22729 is an authentication bypass vulnerability in Yokogawa's CAMS for HIS Server that allows attackers to send specially crafted packets to bypass authentication mechanisms. This affects industrial control systems including CENTUM CS 3000, CENTUM VP, and Exaopc products. Organizations using these Yokogawa industrial automation systems are at risk.
💻 Affected Systems
- CENTUM CS 3000
- CENTUM VP
- Exaopc
📦 What is this software?
Exaopc by Yokogawa
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems allowing unauthorized control over critical infrastructure, potential process manipulation, safety system bypass, and industrial espionage.
Likely Case
Unauthorized access to industrial control systems allowing data exfiltration, process monitoring, and potential manipulation of non-critical systems.
If Mitigated
Limited impact due to network segmentation, proper access controls, and monitoring detecting anomalous authentication attempts.
🎯 Exploit Status
Authentication bypass via crafted packets suggests relatively straightforward exploitation once packet format is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply updates: CENTUM CS 3000: R3.09.50 or later; CENTUM VP: R4.03.50 or later, R5.04.50 or later, R6.08.50 or later; Exaopc: R3.79.50 or later
Vendor Advisory: https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf
Restart Required: Yes
Instructions:
1. Download patches from Yokogawa support portal. 2. Apply updates according to vendor documentation. 3. Restart affected systems. 4. Verify patch installation.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected systems in dedicated industrial control network segments with strict firewall rules.
Access Control Lists
allImplement strict network ACLs to limit which systems can communicate with CAMS for HIS Server.
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to isolate affected systems from untrusted networks
- Deploy intrusion detection systems to monitor for anomalous authentication attempts and crafted packets
🔍 How to Verify
Check if Vulnerable:
Check product version against affected ranges in Yokogawa advisory YSAR-22-0001-ECheck Version:
Check version through Yokogawa system management interface or consult system documentationVerify Fix Applied:
Verify installed version is patched: CENTUM CS 3000 ≥ R3.09.50, CENTUM VP ≥ R4.03.50/R5.04.50/R6.08.50, Exaopc ≥ R3.79.50📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful access
- Unusual packet patterns to CAMS for HIS Server
Network Indicators:
- Crafted packets to CAMS for HIS Server port
- Authentication bypass patterns in network traffic
SIEM Query:
source_ip OUTSIDE trusted_range AND destination_port = [CAMS_PORT] AND protocol = TCP AND packet_size = [CRAFTED_SIZE]