Published by CISA on September 17, 2024
1. Executive Summary
CISA has issued an advisory regarding a critical vulnerability affecting Yokogawa's Dual-redundant Platform for Computer (PC2CKM). The vulnerability, designated
CVE-2024-8110, presents a
CVSS v3 score of 7.5, indicating that it is
exploitable remotely with low attack complexity. This flaw stems from an
Unchecked Return Value, which can lead to a denial-of-service (DoS) condition if exploited.
2. Risk Evaluation
The successful exploitation of this vulnerability could enable an attacker to induce a DoS, thereby disrupting the operation of systems dependent on the affected platform.
3. Technical Details
3.1 Affected Products
Versions of Yokogawa PC2CKM impacted by this vulnerability include:
- Dual-redundant Platform for Computer (PC2CKM): Versions R1.01.00 to R2.03.00
3.2 Vulnerability Overview
Unchecked Return Value (CWE-252): If the affected device receives a
high volume of UDP broadcast packets in a short span, there is a possibility for the system to restart unexpectedly. Should both the active and standby units restart simultaneously, functionality may be temporarily unavailable. Associated with this vulnerability,
CVE-2024-8110 reflects a CVSS vector string identifying the specifics for assessment.
3.3 Background
This vulnerability affects several critical infrastructure sectors, including
Critical Manufacturing,
Energy, and
Food and Agriculture. Furthermore, its reach is
global, with the company headquartered in
Japan.
3.4 Researcher Input
Yokogawa reported the vulnerability to
JPCERT, highlighting its commitment to addressing security concerns proactively.
4. Mitigations
Yokogawa advises users to update to at least version
R2.03.10 of the PC2CKM. Additional recommended practices by CISA include:
- Minimizing Network Exposure: Ensure that control system devices are not accessible from the Internet.
- Firewalls and Isolation: Place control system networks and remote devices behind firewalls, separating them from business networks.
- Secure Remote Access: Utilize VPNs for remote access, being aware of their potential vulnerabilities.
- Conducting Assessments: Organizations should perform risk assessments and impact analyses before implementing defensive measures. CISA has published further guidelines on recommended practices for securing control systems on their website.
5. Update History
September 17, 2024: Initial publication of the advisory.
Expert Commentary
The vulnerabilities highlighted in this CISA advisory expose critical weaknesses in industrial control systems, a domain that has often lagged behind when it comes to cybersecurity standards. The Unchecked Return Value issue, classified as CWE-252, underscores a recurring theme in software vulnerabilities—the tendency to assume that function calls will succeed without adequate error handling. This complacency can have significant consequences, especially in sectors that are vital to public safety and infrastructure stability. It’s crucial for system designers and engineers to cultivate a vigilant approach to coding, embracing best practices that include thorough testing and validation of return values.
Possible Wider Implications
As industrial systems become more integrated with networked technologies, the risk profile is changing. This incident raises questions about the adequacy of existing cybersecurity frameworks and the need for a comprehensive overhaul of safety practices across the board. Business leadership should prioritize training in cybersecurity awareness and in safe operational procedures, ensuring that all employees understand the potential implications of such vulnerabilities.
Recap
The advisory from CISA on the Yokogawa Dual-redundant Platform for Computer (PC2CKM) brings to light a critical vulnerability associated with UDP traffic that could trigger a denial-of-service attack. Users are encouraged to follow recommended actions, including upgrading their systems and reviewing network security practices. For those immersed in the ecosystem of industrial control systems, this advisory serves as a pertinent reminder of the vulnerabilities that persist in these environments. Adopting robust cybersecurity practices is not optional but rather essential in safeguarding operations against potential threats.
Feel free to share your thoughts or insights regarding this advisory on your respective platforms! For detailed guidance on cybersecurity best practices and vulnerabilities, stay engaged with updates from CISA and other relevant security organizations. Source: CISA
https://www.cisa.gov/news-events/ics-advisories/icsa-24-261-03
