CVE-2022-26034
📋 TL;DR
CVE-2022-26034 is an improper authentication vulnerability in Yokogawa CENTUM VP and B/M9000 VP industrial control systems. Attackers can bypass authentication in the Automation Design server communication protocol, potentially leading to data leakage or tampering. Affected systems include CENTUM VP R6.01.10 to R6.09.00 and B/M9000 VP R8.01.01 to R8.03.01.
💻 Affected Systems
- CENTUM VP
- CENTUM VP Small
- CENTUM VP Basic
- B/M9000 VP
📦 What is this software?
B\/m9000 Vp by Yokogawa
Centum Vp by Yokogawa
Centum Vp by Yokogawa
Centum Vp by Yokogawa
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control system data, including process parameters, configurations, and operational data, potentially leading to physical process disruption or safety incidents.
Likely Case
Unauthorized access to sensitive industrial control data, configuration tampering, or operational data manipulation affecting process reliability.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized network access to the AD server.
🎯 Exploit Status
Authentication bypass vulnerabilities in industrial protocols are frequently exploited. No public exploit code identified, but the vulnerability is straightforward to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CENTUM VP R6.09.01 or later, B/M9000 VP R8.03.02 or later
Vendor Advisory: https://www.yokogawa.com/library/resources/white-papers/yokogawa-security-advisory-report-list/
Restart Required: Yes
Instructions:
1. Download patches from Yokogawa support portal. 2. Apply patches to affected CENTUM VP or B/M9000 VP systems. 3. Restart AD server services. 4. Verify patch installation through version check.
🔧 Temporary Workarounds
Network Segmentation
allIsolate AD servers from untrusted networks using firewalls and VLANs.
Access Control Lists
allImplement strict network access controls to limit connections to AD servers only from authorized engineering workstations.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate AD servers from all untrusted networks
- Deploy intrusion detection systems to monitor for unauthorized access attempts to AD server ports
🔍 How to Verify
Check if Vulnerable:
Check CENTUM VP or B/M9000 VP version against affected ranges. Verify if AD server service is running and accessible on network.Check Version:
Check version through CENTUM VP System View or B/M9000 VP configuration tools (vendor-specific commands vary by installation).Verify Fix Applied:
Confirm system version is CENTUM VP R6.09.01+ or B/M9000 VP R8.03.02+. Test authentication requirements for AD server functions.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to AD server ports
- Authentication failures followed by successful AD server access
- Unusual configuration changes to industrial control parameters
Network Indicators:
- Unexpected connections to AD server ports (typically proprietary industrial protocols)
- Traffic patterns indicating AD server function usage from unauthorized sources
SIEM Query:
source_ip NOT IN (authorized_engineering_stations) AND destination_port IN (ad_server_ports) AND protocol='industrial_protocol'