JRB - Fotolia
Yokogawa Stardom vulnerability leaves hardcoded creds in ICS controllers
A Yokogawa Stardom vulnerability leaves industrial control systems in critical infrastructure around the world at risk because of hardcoded credentials in the software.
Industrial control systems around the world might be at risk as hardcoded credentials are found in flawed software.
The Yokogawa Stardom vulnerability (CVE-2018-10592) affects the FCJ, FCN-100, FCN-RTU and FCN-500 controllers running firmware version R4.02 or earlier. These industrial control systems (ICSes) are used around the world in various infrastructure capacities, including the energy sector, food production and manufacturing.
According to the security advisory for the Yokogawa Stardom vulnerability, an attacker could remotely log in with the hardcoded credentials and be able to execute system commands. Yokogawa worked with ICS-CERT in order to have the official advisory from Yokogawa and the advisory from ICS-CERT released at the same time. Yokogawa described the issue as being of medium difficulty to exploit.
Yokogawa suggested users upgrade to firmware version R4.10 and ICS-CERT added that the National Cybersecurity and Communications Integration Center (NCCIC) also recommended that industrial control systems be isolated from networks, if possible, protected behind firewalls or restricting logins.
The company wrote in a statement that even it is unsure how widespread the Yokogawa Stardom vulnerability might be. “Since Stardom’s release in 2001, Yokogawa has provided about 20,000 units to the oil and gas and other industries,” the company wrote. “As we do not have accurate information on how many controllers are still in operation and on the conditions that they are being used under, we are not sure how many controllers are affected by this vulnerability.”
Hardcoding passwords and other login credentials is a practice that security professionals have frowned upon for decades, but still affects products ranging from IoT to firewalls and more. Meanwhile, industrial control systems have become a bigger target for attackers looking to cause real-world havoc with cyberattacks.