CVE-2014-5208 in CENTUM VP
Summary
by MITRE
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbitrary files via a STOR operation, or obtain sensitive database-location information via a PMODE operation, a different vulnerability than CVE-2014-0784.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/03/2018
The vulnerability identified as CVE-2014-5208 affects Yokogawa's CENTUM CS 3000 and CENTUM VP systems, along with Exaopc software, representing a critical authentication bypass flaw in the BKBCopyD.exe component. This issue exists within batch management packages that handle industrial control system communications, creating a pathway for remote attackers to manipulate system files and access sensitive database information without proper authorization. The vulnerability specifically impacts versions through R3.09.50 for CENTUM CS 3000, R4.03.00 and R5.x through R5.04.00 for CENTUM VP, and R3.72.10 for Exaopc, indicating a widespread exposure across multiple product lines and version ranges.
The technical implementation of this vulnerability stems from the BKBCopyD.exe service failing to enforce authentication mechanisms for its file transfer operations. Attackers can exploit three distinct operations within the FTP-like interface to achieve different malicious objectives. The RETR operation enables unauthorized file reading, allowing attackers to access arbitrary files on the system, potentially including configuration files, user credentials, or sensitive operational data. The STOR operation permits arbitrary file writing, which could result in malicious code injection or system configuration modification. Additionally, the PMODE operation reveals sensitive database location information, providing attackers with critical infrastructure details that could facilitate further attacks or system compromise.
This vulnerability represents a significant operational risk within industrial control systems where security is paramount for maintaining process integrity and preventing operational disruptions. The lack of authentication requirements creates an attack surface that could lead to unauthorized access to critical system components, potentially enabling attackers to manipulate industrial processes, access proprietary information, or cause operational failures. The vulnerability falls under CWE-287, which addresses improper authentication issues, and aligns with ATT&CK techniques related to credential access and privilege escalation through unauthenticated remote access points. The exposure of database location information through PMODE operations particularly increases the risk of targeted attacks against the underlying database infrastructure, potentially compromising the entire industrial control ecosystem.
Organizations affected by this vulnerability should implement immediate mitigations including network segmentation to isolate affected systems, disabling unnecessary FTP services, and applying vendor-provided patches or updates when available. Access controls should be strengthened through firewall rules that restrict access to BKBCopyD.exe ports to authorized networks only, while monitoring systems should be deployed to detect suspicious file transfer activities. The vulnerability highlights the importance of secure configuration management in industrial environments and demonstrates how seemingly minor authentication flaws can create significant security risks. Regular security assessments of industrial control system components are essential to identify similar unauthenticated access points that could enable similar attacks, particularly in environments where operational technology and information technology systems intersect.