1. EXECUTIVE SUMMARY
- CVSS v3 5.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Yokogawa
- Equipment: STARDOM FCN/FCJ
- Vulnerability: Uncontrolled Resource Consumption
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition to the FCN/FCJ controller by sending a specially crafted packet.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Yokogawa STARDOM FCN/FCJ, a network control system, are affected:
- STARDOM FCN/FCJ: versions R1.01 through R4.31
3.2 Vulnerability Overview
This vulnerability may allow to a remote attacker to cause a denial-of-service condition to the FCN/FCJ controller by sending a crafted packet. While sending the packet, the maintenance homepage of the controller could not be accessed. Therefore, functions of the maintenance homepage, changing configuration, viewing logs, etc. are not available. But the controller's operation is not stopped by the condition.
- CRITICAL INFRASTRUCTURE SECTORS: Multiple
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Japan
Roman Ezhov of Kaspersky reported this vulnerability to Yokogawa.
Yokogawa has released the following mitigations for users to implement:
- By using the packet filter function* of the FCN/FCJ controller, only allow connection from trusted hosts.
- Take measures against the network so that an attacker cannot send a malicious packet.
Yokogawa strongly recommends all users to establish and maintain a full security program, not only for the vulnerability identified in this YSAR. Security program components are: Patch updates, Anti-virus, Backup and recovery, zoning, hardening, whitelisting, firewall, etc. Yokogawa can assist in setting up and running the security program continuously. For considering the most effective risk mitigation plan, as a starting point, Yokogawa can perform a security risk assessment.
*Revision up FCN/FCJ basic software to R4.20 or later for using the function.
More details can also be found in Yokogawa's security advisory report number YSAR-23-0003.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY
- November 30, 2023: Initial Publication