DTM XML Injection Vulnerability Fixed

Friday, September 25, 2015 @ 04:09 PM gHale

Endress+Hauser Process Solutions AG and CodeWrights produced new versions of HART DTM software libraries, according to a report on ICS-CERT.

The new versions mitigate handling of the HART longtag response field in Endress+Hauser’s Fieldcare and CodeWrights HART Comm DTM.

Privilege Escalation Holes Fixed
Multiple IBC Solar Vulnerabilities
Everest Software Fixes Vulnerabilities
Fiat Auto Vulnerability Update

Alexander Bolshev of Digital Security, who discovered the vulnerability, tested the updated versions to validate it resolves the vulnerability.

This vulnerability could end up exploited from an adjacent network receiving HART DTM packets.

All HART DTM components relying on Fieldcare and a CodeWrights HART Comm DTM suffer from the issue.

When a Device DTM component receives a HART packet response to Command 20 (longtag), it extracts the longtag from the packet. The string is capable of storing an XML schema. The HART Comm DTM reads the XML schema and attempts to retrieve XML schema or the document from the location stored in the longtag. This leads to potential Server Side Request Forgery (SSRF) attacks or XML External Entity attacks. This attack may cause the disclosure of confidential data, denial of service, port scanning, and other possible system impacts.

In an SSRF, the network connection will originate from the application server internal IP, and an attacker will be able to use this connection to bypass network controls. This could allow exposure of internal resources that are not otherwise visible.

Endress+Hauser is an international company based in Germany and Switzerland, with over 200 offices and production centers located worldwide.

CodeWrights GmbH is a German-based company that provides device integration and management solutions. CodeWrights GmbH supplies components used in DTMs of other vendors.

The Endress+Hauser Fieldcare manages the FDT/DTM Frame Application. The HART Comm DTM is part of the FDT/DTM architecture used to provide communication protocol information to the Frame Application.

ICS-CERT found these devices see use across several sectors including chemical, commercial facilities, critical manufacturing, energy, food and agriculture, water and wastewater systems, and others. ICS-CERT estimates that these DTMs work in products worldwide.

XML schema injects into the accepted response packet. When Comm DTM reads longtag values from the Device DTM it attempts to parse the XML schema potentially allowing for remote access and control.

CVE-2015-6463 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.3 and temporal score of 7.5 has been assigned for each vulnerability.

This vulnerability could end up exploited from an adjacent network receiving HART DTM packets.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.

and CodeWrights have provided their own security advisories and patches.

Asset owners using FieldCare or CodeWright HART Comm DTMs should update their software to the newest version as soon as possible.