PT-2014-64: XML External Entity Injection in Yokogawa FAST/TOOLS
Vulnerable software
Yokogawa FAST/TOOLS
Version: R9.05 SP1 and earlier
Link:
http://www.yokogawa.com/scd/fasttools/scd-scada-ov-en.htm
Severity level
Severity level: Low
Impact: Proactive Arbitrary Files Reading, Denial of Service
Access Vector: Local
CVSS v2:
Base Score: 3.2
Vector: (AV:L/AC:L/Au:S/C:P/I:N/A:P)
CVE: CVE-2014-7251
Software description
Yokogawa FAST/TOOLS is a web-based real-time operations management and visualization software suite. This Enterprise Operations Solution has architectural benefits that significantly advance efficiency, security and improve operational agility of remote Process Management infrastructures.
Vulnerability description
The specialists of the Positive Research center have detected an XML External Entity Injection vulnerability in the Yokogawa FAST/TOOLS application.
A local attacker can trick the WebHMI server into sending data to an outside computer. This vulnerability can also increase the load of the WebHMI server and the network.
How to fix
Update your software up to the latest version.
Advisory status
20.11.2012 - Vendor gets vulnerability details
28.11.2014 - Vendor releases fixed version and details
26.12.2014 - Public disclosure
Credits
The vulnerability was detected by Timur Yunusov, Alexey Osipov and Ilya Karpov, Positive Research Center (Positive Technologies Company)
References
http://en.securitylab.ru/lab/PT-2014-10
http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0004E.pdf
https://ics-cert.us-cert.gov/advisories/ICSA-14-343-01
Reports on the vulnerabilities previously discovered by Positive Research:
http://www.ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/