Update on HART DTM Vulnerability

Wednesday, January 28, 2015 @ 11:01 AM gHale


CodeWrights GmbH updated amount of companies affected by the improper input validation vulnerability in its HART Device Type Manager (DTM) libraries, according to a report on ICS-CERT.

Independent researcher Alexander Bolshev has identified an improper input validation vulnerability in CodeWrights GmbH HART Device Type Manager (DTM) libraries. CodeWrights GmbH produces DTM libraries for vendors of HART DTM products.

RELATED STORIES
Siemens Mitigates Sm@rtClient Holes
Insecure ICS/SCADA Java Client Fixed
ICS Software Authentication Hole Found
Schneider Patches InTouch Buffer Overflow

CodeWrights GmbH updated the libraries that mitigate this vulnerability. Using CodeWrights GmbH’s updated library for HART DTM, one of the affected firms tested the new library to validate it resolves the vulnerability.

Any DTM written by CodeWrights GmbH DTMStudio prior to 1.5.151 suffers from the issue. A user can identify these libraries by a filename DDCH*Lib, where “*” is a wildcard string. Libraries prior to Version 1.4.181 suffer from the issue.

Companies using CodeWrights GmbH’s product include:
• ABB (Refer to the ABB web page where it will publish notifications if any products end up affected by this vulnerability.)
• Berthold Technologies
• Emerson
• Endress+Hauser
• Magnetrol
• Pepperl+Fuchs

Other companies also suffer from the vulnerability and ICS-CERT will issue advisories for each vendor identified as remediation efforts end up addressed.

The vulnerability causes a buffer overflow in the HART component crashing the DTM component and the Field Device Tool (FDT) Frame application.

CodeWrights GmbH is a German-based company that provides device integration and management solutions. The affected library is a component within the FDT/DTM application used to integrate HART devices.

CodeWrights GmbH supplies components used in DTMs of other vendors. HART DTM deploys globally across several sectors including chemical, commercial facilities, critical manufacturing, energy, food and agriculture, and water and wastewater systems.

By sending specially crafted response packets to the 4 mA to 20 mA current loop, the DTM component stops functioning and the FDT Frame application becomes unresponsive.

CVE-2014-9191 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 1.8.

This exploit is possible from any adjacent network between the FDT/DTM frame application and the HART transmitter on the 4 mA to 20 mA current loop.

No known public exploits specifically target this vulnerability.

Crafting a working exploit for this vulnerability would be difficult. Compromised access at any point between the HART transmitter and Frame Application with DTM will allow an attacker to unencapsulate, modify, re-encapsulate, and send malicious packets. This exploit requires timing the spoofed response to crash the FDT/DTM components. This increases the difficulty of a successful exploit.

CodeWrights GmbH developed an updated library to address this vulnerability. These libraries are going out to its customers (vendors) that have current support agreements.



Leave a Reply

You must be logged in to post a comment.