HART DTM Vulnerability a Small Risk

Wednesday, February 4, 2015 @ 09:02 AM gHale

By Gregory Hale
Notifications have been coming fast and furious — and they are not done yet. They focus on CodeWrights GmbH updating an improper input validation vulnerability in its Device Type Manager (DTM) libraries for HART field devices.

These reports, which have been keeping ICS-CERT busy over the past few weeks, talk about CodeWrights producing DTM libraries for vendors of HART products for use with FDT Frame Applications. The company mitigated the vulnerability and now suppliers are going about validating the fixes to ensure it resolves the vulnerability.

Honeywell Updates HART DTM Vulnerability
Schneider Mitigates Buffer Overflow
Magnetrol Integrates HART DTM Update
Update on HART DTM Vulnerability

Any DTM written by CodeWrights using DTMStudio prior to version 1.5.151 suffers from the issue. A user can identify these libraries by a filename DDCH*Lib.dll, where “*” is a wildcard string typically signifying references to a specific device vendor. Libraries prior to Version 1.4.181 suffer from the issue. In just one example, this is where you can identify a Honeywell HART Device DTM library:


Companies using CodeWrights GmbH product include:
• Berthold Technologies
• Emerson
• Endress+Hauser
• Honeywell
• Magnetrol
• Pepperl+Fuchs

“The quick answer to the level of importance for this issue is these vulnerabilities do not represent much ‘net unmitigated risk’ to users,” said Joel Langill, of RedHat Cyber, an independent ICS security researcher. “The CVSSv2 Base score is 1.8, which is too low for most to consider. A successful exploitation of this vulnerability would require either direct access to the two-wire field network or access to the local industrial network where specially timed malicious packets would need to be injected. The researcher has successfully proven a vector using either the two-wire ‘field network’ between the HART device and its interface module, gateway, or controller, and also between the interface device and the Frame Application that contains the Communication and Device DTMs. In either case, the consequences are limited to one or more Frame Applications that contains the vulnerable Device DTM that must be executing at the time the malicious packet is received. Since primary ICS functions — either closed-loop control or data acquisition — depend on the analog communication via the 4-20mA current loop, there is no impact to this signal and the underlying control strategies.”

Closer Look
There is, however, a risk, which warrants taking a look at some details, Langill said.

“What is important to understand, and something not described in the early ICS-CERT advisories is in many cases, the two-wire network that contains both analog (4-20mA) and digital (HART FSK) signals is connected to a control device such as a process controller. In these cases, it is questionable whether the malicious packets injected on the two-wire network would be transported through the ICS components (controller, server, etc.) and presented to the Communication DTM used by the Frame Application, Langill said. “This would require the attacker to now hijack the session that exists between what is often a proprietary communication service on the target ICS system and the Communication DTM in the Frame Application. This form of attack would require significant capability for the specific ICS system; not just the field device. I would not consider this a high risk threat.”

To understand this further, it is important to have an idea of the diversity in applying the FDT framework across a variety of ICS architectures and industry sectors , Langill said.

“The field device connects to a communication device via a two-wire system that contains both 4-20mA analog and HART FSK digital signals. The communication device could be a standalone one, or integrated into a larger ICS,” he said. “The Comm DTM is supplied by the manufacturer of this interfacing device, and allows communication to the Frame Application typically over an Ethernet-based infrastructure. This architecture is very different to a smaller system that may utilize HART signal ‘strippers’ and HART ‘modems’ that are used to separate the digital part of the signal from the legacy analog before reaching the I/O modules. At this point, the HART components are actually external to the critical ICS performing control and data acquisition, making the DoS attack on the Frame Application simpler, but further minimizing any residual risk on the critical control components.”

The genesis of the issue stems from the early days of HART and the integration to instrument asset management systems where there was little interoperability between the HART field device, the control system, and the asset management software. This ended up fueled by device vendors who would often embed features in their devices not made available to third-parties without using a particular asset management system.

This forced end-users to select a single vendor for all three in order to obtain the greatest level of integration and maximize the value of improved maintenance information available with the smart field instruments (circa early 2000’s). So, a customer that would use Yokogawa field devices and a Honeywell control system and Emerson asset management would not have the same capabilities as one that used all Emerson products (field devices, control system and AMS application), Langill said.

To address this problem, the FDT Group started up in 2003 to help provide end-users with a more open, integrated device solution. Originally consisting of five founding members, the organization now includes more than 82 companies supporting FDT technology.

The technology allows a vendor of field devices to create a single Device DTM for a device that may support multiple fieldbus protocols (HART, FF, Profibus, etc.). They would then offer a second type of DTM called a Communication or Gateway DTM (the exact type depends on the particular choice of components) that would then allow the Frame Application to communicate with the device via the necessary fieldbus protocol using controller I/O modules, linking devices, and gateways among others, Langill said.

The Comm DTM traditionally ends up supplied by the manufacturer of the communication or gateway device. The beauty of this technology is by separating device functionality from its communication, a vendor that offers a device supporting HART, Profibus and Foundation FIELDBUS can supply a single Device DTM and a set of Comm and Gateway DTMs that could physically connect to each of the three communication technologies. The Device and Comm DTMs then install on a host that contains the FDT (Field Device Type) Frame Application. This Frame Application can end up supplied by a range of developers that supply asset management tools, device configuration and calibration tools, control system engineering tools, and operator consoles now providing open access to the device information.

Leave a Reply

You must be logged in to post a comment.