CVE-2023-26593

Name of the Vulnerable Software and Affected Versions CENTUM CS 1000 CENTUM CS 3000 (Including CENTUM CS 3000 Entry Class) versions R2.01.00 through R3.09.50 CENTUM VP (Including CENTUM VP Entry Class) versions R4.01.00 through R4.03.00 CENTUM VP (Including CENTUM VP Entry Class) versions R5.01.00 through R5.04.20 CENTUM VP (Including CENTUM VP Entry Class) version R6.01.00 and later B/M9000 CS versions R5.04.01 through R5.05.01 B/M9000 VP versions R6.01.01 through R7.04.51 B/M9000 VP version R8.01.01 and later

Description The CENTUM series provided by Yokogawa Electric Corporation is vulnerable to cleartext storage of sensitive information. If an attacker who can login or access the computer where the affected product is installed tampers with the password file stored in the computer, the user privilege which CENTUM managed may be escalated. As a result, the control system may be operated with the escalated user privilege. To exploit this issue, an attacker must have obtained user credentials where the affected product is installed, and CENTUM Authentication Mode must be used for user authentication when CENTUM VP is used.

Recommendations For CENTUM CS 1000, update to a version that fixes the cleartext storage of sensitive information. For CENTUM CS 3000 (Including CENTUM CS 3000 Entry Class) versions R2.01.00 through R3.09.50, update to a version that fixes the cleartext storage of sensitive information. For CENTUM VP (Including CENTUM VP Entry Class) versions R4.01.00 through R4.03.00, update to a version that fixes the cleartext storage of sensitive information. For CENTUM VP (Including CENTUM VP Entry Class) versions R5.01.00 through R5.04.20, update to a version that fixes the cleartext storage of sensitive information. For CENTUM VP (Including CENTUM VP Entry Class) version R6.01.00 and later, update to a version that fixes the cleartext storage of sensitive information. For B/M9000 CS versions R5.04.01 through R5.05.01, update to a version that fixes the cleartext storage of sensitive information. For B/M9000 VP versions R6.01.01 through R7.04.51, update to a version that fixes the cleartext storage of sensitive information. For B/M9000 VP version R8.01.01 and later, update to a version that fixes the cleartext storage of sensitive information. As a temporary workaround, consider restricting access to the password file stored in the computer to minimize the risk of exploitation.