Yokogawa HART Device DTM Hole

Wednesday, February 18, 2015 @ 05:02 PM gHale

Yokogawa started to implement a fix in the improper input vulnerability in the CodeWrights GmbH HART Device Type Manager (DTM) library utilized in Yokogawa’s HART Device DTM, according to a report on ICS-CERT.

Alexander Bolshev of Digital Security discovered the issue in the CodeWrights GmbH HART Device Type Manager (DTM) library used my multiple industry suppliers.

Siemens Fixes WinCC Vulnerabilities
Siemens Offers STEP 7 Service Pack
Advantech Patches Buffer Overflow
Microsoft: Control System Warning

The following products use the vulnerable HART DTM library:
• ADMAG AE Series Magnetic Flowmeters (AE/AE14) Rev.1 & 2
• ADMAG SE Series Magnetic Flowmeters (SE/SE14) Rev.1 & 2
• AM11 Magnetic Flowmeter Remote Converter Rev.1
• AXFA11 Magnetic Flowmeter Remote Converter Rev.1
• ADMAG AXF Series Magnetic Flowmeters (AXF/AXFA14) Rev.1
• ADMAG AXR Two-wire Magnetic Flowmeters Rev.1 & 2
• digitalYEWFLO Vortex Flowmeter Rev.1,2,3, & 4
• Dpharp EJA /EJA-A Series Pressure Transmitters/Differential PressureTransmitters Rev.1,2, & 3
• Dpharp EJX Series Pressure Transmitters/Differential PressureTransmitters Rev.1,2, & 3
• EJX Multivariable Transmitters(EJX910A/EJX930A) Rev.1 & 2
• Rotameter Rev.1
• Coriolis Mass Flowmeters- ROTAMASS 3-Series(RCCT3x/RCCF31) Rev.1,2, & 3
• Coriolis Mass Flowmeters(CF11) Rev.1
• Differential Pressure Transmitters Rev.1
• YEWFLO Vortex Flowmeter Rev.1 & 2
• YT200 Temperature Transmitters Rev.1
• YTA110/YTA310/YTA320 Temperature Transmitters Rev.1,2, & 3
• YTA70 Temperature Transmitters Rev.1
• AV550G Rev.1
• DO202 Rev.1
• ISC202 Rev1
• ISC450 Rev.1 & 2
• PH150 Rev.1 & 2
• PH202 Rev.1
• PH450 Rev.1 & 2
• SC150 Rev.1 & 2
• SC202 Rev.1
• SC450Rev.1 & 2
• ZR202 Rev.1
• ZR402 Rev.1

The vulnerability causes a buffer overflow in the HART Device DTM crashing the Field Device Tool (FDT) Frame Application. The Frame Application must then restart. The Frame Application primarily sees use for remote configuration. Exploitation of this vulnerability does not result in loss of information, control, or view by the control system of the HART devices on the 4-20mA HART Loop.

Yokogawa is a company based in Japan that maintains offices in several countries around the world, including the Americas, Europe, the Middle East, Africa, South Asia, and East Asia.

The affected product is the DTM library used by Yokogawa HART-based field devices in the FDT/DTM Frame Application. These products see action across multiple critical infrastructure sectors. Yokogawa estimates these products see use worldwide.

Successful injection of specially crafted packets to the Device DTM causes a buffer overflow condition in the Frame Application. The FDT Frame Application becomes unresponsive, and the Device DTM stops functioning.

CVE-2014-9191 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 1.8.

This exploit on the FDT/DTM Frame Application is possible from any adjacent network that receives or passes packets from the HART Device DTM.

No known public exploits specifically target this vulnerability.

This is a complex vulnerability. Crafting a working exploit for this vulnerability would be difficult. Compromised access that allows access to the packets transmitted to Frame Application is mandatory for exploitation. This exploit also requires a specific timing to crash the Frame Application. This increases the difficulty of a successful exploit.

Yokogawa released an advisory (YSAR-15-0001) to address this issue.

Contact a local Yokogawa office to obtain the latest version to mitigate this vulnerability. There are offices worldwide; click here for North American office contact information.

JPCERT has also released an advisory (JVNVU # 96347573) to disclose this information.

Leave a Reply

You must be logged in to post a comment.