PT-2014-64: XML External Entity Injection in Yokogawa FAST/TOOLS Vulnerable softwareYokogawa FAST/TOOLS Version: R9.05 SP1 and earlierLink: http://www.yokogawa.com/scd/fasttools/scd-scada-ov-en.htmSeverity levelSeverity level: Low Impact: Proactive Arbitrary Files Reading, Denial of Service Access Vector: Local CVSS v2: Base Score: 3.2 Vector: (AV:L/AC:L/Au:S/C:P/I:N/A:P)CVE: CVE-2014-7251Software descriptionYokogawa FAST/TOOLS is a web-based real-time operations management and visualization software suite. This Enterprise Operations Solution has architectural benefits that significantly advance efficiency, security and improve operational agility of remote Process Management infrastructures.Vulnerability descriptionThe specialists of the Positive Research center have detected an XML External Entity Injection vulnerability in the Yokogawa FAST/TOOLS application.A local attacker can trick the WebHMI server into sending data to an outside computer. This vulnerability can also increase the load of the WebHMI server and the network.How to fix Update your software up to the latest version.Advisory status 20.11.2012 - Vendor gets vulnerability details 28.11.2014 - Vendor releases fixed version and details 26.12.2014 - Public disclosureCreditsThe vulnerability was detected by Timur Yunusov, Alexey Osipov and Ilya Karpov, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2014-10 http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0004E.pdf https://ics-cert.us-cert.gov/advisories/ICSA-14-343-01 Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/