CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:S/C:P/I:N/A:P
EPSS
Percentile
27.8%
Yokogawa FAST/TOOLS
Version: R9.05 SP1 and earlier
Link:
<http://www.yokogawa.com/scd/fasttools/scd-scada-ov-en.htm>
Severity level: Low
Impact: Proactive Arbitrary Files Reading, Denial of Service
Access Vector: Local
CVSS v2:
Base Score: 3.2
Vector: (AV:L/AC:L/Au:S/C:P/I:N/A:P)
CVE: CVE-2014-7251
Yokogawa FAST/TOOLS is a web-based real-time operations management and visualization software suite. This Enterprise Operations Solution has architectural benefits that significantly advance efficiency, security and improve operational agility of remote Process Management infrastructures.
The specialists of the Positive Research center have detected an XML External Entity Injection vulnerability in the Yokogawa FAST/TOOLS application.
A local attacker can trick the WebHMI server into sending data to an outside computer. This vulnerability can also increase the load of the WebHMI server and the network.
How to fix
Update your software up to the latest version.
20.11.2012 - Vendor gets vulnerability details
28.11.2014 - Vendor releases fixed version and details
26.12.2014 - Public disclosure
The vulnerability was detected by Timur Yunusov, Alexey Osipov and Ilya Karpov, Positive Research Center (Positive Technologies Company)
<http://en.securitylab.ru/lab/PT-2014-10>
<http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0004E.pdf>
<https://ics-cert.us-cert.gov/advisories/ICSA-14-343-01>
Reports on the vulnerabilities previously discovered by Positive Research:
<http://www.ptsecurity.com/research/advisory/>
<http://en.securitylab.ru/lab/>