PT-2014-64: XML External Entity Injection in Yokogawa FAST/TOOLS

Vulnerable software

Yokogawa FAST/TOOLS

Version: R9.05 SP1 and earlier

Link:
<http://www.yokogawa.com/scd/fasttools/scd-scada-ov-en.htm&gt;

Severity level

Severity level: Low
Impact: Proactive Arbitrary Files Reading, Denial of Service
Access Vector: Local

CVSS v2:
Base Score: 3.2
Vector: (AV:L/AC:L/Au:S/C:P/I:N/A:P)

CVE: CVE-2014-7251

Software description

Yokogawa FAST/TOOLS is a web-based real-time operations management and visualization software suite. This Enterprise Operations Solution has architectural benefits that significantly advance efficiency, security and improve operational agility of remote Process Management infrastructures.

Vulnerability description

The specialists of the Positive Research center have detected an XML External Entity Injection vulnerability in the Yokogawa FAST/TOOLS application.

A local attacker can trick the WebHMI server into sending data to an outside computer. This vulnerability can also increase the load of the WebHMI server and the network.

How to fix

Update your software up to the latest version.

Advisory status

20.11.2012 - Vendor gets vulnerability details
28.11.2014 - Vendor releases fixed version and details
26.12.2014 - Public disclosure

Credits

The vulnerability was detected by Timur Yunusov, Alexey Osipov and Ilya Karpov, Positive Research Center (Positive Technologies Company)

References

<http://en.securitylab.ru/lab/PT-2014-10&gt;
<http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0004E.pdf&gt;
<https://ics-cert.us-cert.gov/advisories/ICSA-14-343-01&gt;

Reports on the vulnerabilities previously discovered by Positive Research:

<http://www.ptsecurity.com/research/advisory/&gt;
<http://en.securitylab.ru/lab/&gt;