CVE-2019-5909 in CENTUM VP
Summary
by MITRE
License Manager Service of YOKOGAWA products (CENTUM VP (R5.01.00 - R6.06.00), CENTUM VP Entry Class (R5.01.00 - R6.06.00), ProSafe-RS (R3.01.00 - R4.04.00), PRM (R4.01.00 - R4.02.00), B/M9000 VP(R7.01.01 - R8.02.03)) allows remote attackers to bypass access restriction to send malicious files to the PC where License Manager Service runs via unspecified vectors.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2023
The vulnerability identified as CVE-2019-5909 affects multiple Yokogawa industrial control system products including CENTUM VP, CENTUM VP Entry Class, ProSafe-RS, PRM, and B/M9000 VP across specific version ranges. This security flaw resides within the License Manager Service component of these systems, which is responsible for managing software licensing and authorization within industrial environments. The affected products are commonly deployed in critical infrastructure sectors including power generation, oil and gas, and manufacturing facilities where operational technology security is paramount. The vulnerability represents a significant concern for industrial cybersecurity as it allows remote attackers to bypass legitimate access controls and potentially execute malicious code on systems running these vulnerable services.
The technical nature of this vulnerability involves unspecified vectors that enable attackers to send malicious files to target systems running the License Manager Service. This represents a privilege escalation and remote code execution risk where unauthorized parties can bypass established access restrictions without proper authentication. The flaw exists in the service's handling of file transfers and access controls, potentially allowing attackers to upload and execute arbitrary code on the target system. According to CWE classification, this vulnerability could be categorized under CWE-284 (Improper Access Control) or CWE-434 (Unrestricted Upload of File with Dangerous Type) depending on the specific implementation details of the file transfer mechanism. The lack of specific vector information in the CVE description suggests that multiple attack paths may exist, making the vulnerability particularly concerning for security assessments.
The operational impact of this vulnerability extends beyond simple unauthorized access, potentially enabling attackers to compromise entire industrial control systems. In critical infrastructure environments, this could lead to operational disruption, data manipulation, or even physical safety risks if the compromised systems control industrial processes. The vulnerability affects systems that are typically not directly exposed to external networks, making the remote exploitation capability particularly dangerous as it could allow attackers to bypass network segmentation controls. Organizations using these Yokogawa products face potential risks of unauthorized system modification, data exfiltration, and disruption of critical operations. The attack surface is further expanded by the fact that these systems often operate in isolated networks where traditional network-based security controls may be insufficient.
Mitigation strategies for CVE-2019-5909 should focus on immediate patching of affected systems, network segmentation to isolate vulnerable services, and implementation of strict access controls. Organizations should apply official patches released by Yokogawa as soon as possible, while maintaining detailed monitoring of file transfer activities on affected systems. Network-level protections including firewall rules to restrict access to License Manager Service ports, intrusion detection system monitoring for suspicious file transfer patterns, and regular vulnerability assessments should be implemented. The ATT&CK framework would classify this vulnerability under techniques such as T1195 (Supply Chain Compromise) or T1210 (Exploitation of Remote Services) depending on how the attack is initiated. Additionally, organizations should conduct thorough risk assessments to determine if any of their industrial control systems are running vulnerable versions and implement compensating controls such as network access controls, endpoint protection, and regular security audits to reduce the attack surface.