HART DTM Vulnerability Fixed

Friday, January 9, 2015 @ 12:01 PM gHale


CodeWrights fixed an improper input vulnerability in its HART Device Type Manager (DTM) library utilized in Emerson’s HART DTM, according to a report with ICS-CERT. Emerson has begun to integrate the fix after testing the new library to validate it resolves the vulnerability.

Exploits that target this vulnerability, discovered by Independent researcher Alexander Bolshev, are publicly available.

RELATED STORIES
Network Time Protocol Vulnerabilities
Experion PKS Vulnerabilities Patched
Innominate Patches mGuard Hole
Schneider Mitigates ProClima Holes

The following products use the vulnerable HART DTM library:
• Fisher Controls DVC6000 Digital Valve Controller Rev. 2.01
• Fisher Controls International DVC2000 Digital Valve Controller Rev. 1.01
• Micro Motion 1500 Rev. 5 and 6
• Micro Motion 1700 Analog Rev. 5 and 6
• Micro Motion 1700 IS Rev. 6
• Micro Motion 1700 Rev. 5
• Micro Motion 1700IS Rev. 5
• Micro Motion 2000 Config I/O Rev. 5
• Micro Motion 2200S Rev. 1
• Micro Motion 2400S Analog Rev. 2, 3, and 4
• Micro Motion 2500/2700 Config I/O Rev. 5 and 6
• Micro Motion 2700 Analog Rev. 5 and 6
• Micro Motion 2700 IS Rev. 5 and 6
• Micro Motion RFT9739 Rev. 4
• Micro Motion Series 3000 Rev. 7
• Rosemount 1151 Pressure Transmitter Rev. 5 and 6
• Rosemount 2051 Pressure Transmitter Rev. 3, 9, and 10
• Rosemount 2088 Pressure Transmitter Rev. 3, 9, and 10
• Rosemount 2090 Pressure Transmitter Rev. 3
• Rosemount 248 Temperature Transmitter Rev. 2
• Rosemount 3051 Pressure Transmitter Rev. 3, 7, 9, and 10
• Rosemount 3051S Advanced Diagnostics Rev. 2 and 3
• Rosemount 3051S Electronic Remote Sensors Rev. 1
• Rosemount 3051S Pressure Transmitter Rev. 7
• Rosemount 3051SMV Direct Process Variable Rev. 1
• Rosemount 3051SMV MultiVariable Mass Energy Flow Rev. 1
• Rosemount 3095M MultiVariable™ Mass Flow Rev. 2
• Rosemount 3100 Ultrasonic Level Transmitter Rev. 5
• Rosemount 3144P Temperature Transmitter Rev. 3, 4, 5, and 6
• Rosemount 3300 Radar Level and Interface Transmitter Rev. 3
• Rosemount 333 Triloop Rev. 1
• Rosemount 4500 Pressure Transmitter Rev. 7
• Rosemount 4600 Pressure Transmitter Rev. 1
• Rosemount 5300 Radar Level and Interface Transmitter Rev. 1, 2, and 3
• Rosemount 5400 Radar Level Transmitter Rev. 1 and 2
• Rosemount 644 Temperature Transmitter Rev. 6, 7, 8, and 9
• Rosemount 8712D Magnetic Flowmeter Rev. 1
• Rosemount 8712E Magnetic Flowmeter Rev. 3
• Rosemount 8712H Magnetic Flowmeter Rev. 1
• Rosemount 8732C Magnetic Flowmeter Rev. 7
• Rosemount 8732E Magnetic Flowmeter Rev. 2
• Rosemount 8800C Vortex Flowmeter Rev. 3
• Rosemount 8800D Vortex Flowmeter Rev. 1 and 2
• Rosemount Analytical 1056 Rev. 1 and 2
• Rosemount Analytical 5081A Rev. 2
• Rosemount Analytical 5081CT Rev. 1
• Rosemount Analytical 5081p Rev. 2
• Rosemount Analytical 54eA Rev. 2
• Rosemount Analytical 54eC Rev. 1
• Rosemount Analytical 54epH Rev. 2
• Rosemount Analytical OCT4000 Rev. 3
• Rosemount Analytical OCX8800 Rev. 3
• Rosemount Analytical XmtA Rev. 1
• Rosemount Analytical XmtCT Rev. 1
• Rosemount Analytical XmtpH Rev. 1
• Rosemount Metran 150 Pressure Transmitter Rev. 9 and 10
• Rosemount Metran 75 Pressure Transmitter Rev. 9 and 10

The vulnerability causes the HART DTM component to crash and also causes the HART service to stop responding. No loss of information or loss of control or view by the control system results from an attacker successfully exploiting this vulnerability.

Emerson Process Management is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.

The affected products are HART-based field devices. According to Emerson, these products deploy across multiple critical infrastructure sectors. Emerson estimates these products see use globally.

By sending specially crafted response packets directly on the 4-20 mA current loop, the DTM component stops functioning and Field Device Tool (FDT) Frame application becomes unresponsive. A manipulated HART device and physical network access is a requirement to exploit this vulnerability

CVE-2014-9191 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 1.2.

Crafting a working exploit for this vulnerability would be difficult. Physical access to the 4 mA to 20 mA current loop is a requirement along with a connected HART device modified to send crafted packets. The exploit also requires specific timing for the spoofed response. This decreases the likelihood of a successful exploit.

Emerson updated the HART DTM for the Rosemount 644 Temperature Transmitter Rev. 8, DTM Version 1.4.181 on November 17. Installing this DTM will resolve the vulnerability for all the impacted Emerson products listed. Emerson recommends downloading the updated DTM from its web site.

The vulnerability ends up exploited by connecting a rogue device to the HART loop and sending malformed data to the frame. If the end user has adequate physical protection of the HART loop in place, exploitation is not possible. Field devices and WirelessHART installations do not suffer from the issue. Emerson recommends having physical protection of the end users’ entire infrastructure.

More details are in Emerson’s advisory.



Leave a Reply

You must be logged in to post a comment.