GE, MACTek Update DTM Fix

Wednesday, March 25, 2015 @ 11:03 AM gHale

There is an update to the GE and MACTek HART Device Type Manager (DTM) vulnerability that mitigated an improper input vulnerability in the DTM library, according to a report on ICS-CERT.

Alexander Bolshev and Svetlana Cherkasova of Digital Security discovered the improper input vulnerability and GE addressed the vulnerability with a new library, which GE and MACTek have begun to integrate. GE tested the new library to validate it resolves the vulnerability.

Rockwell Fixes FactoryTalk Holes
Johnson Controls Fixes Metasys Holes
Honeywell Updates Web Controller Hole
XZERES Fixes Wind Turbine Vulnerability

The following products use the vulnerable HART DTM library and suffer from the issue:
• MACTek’s Bullet DTM 1.00.0,
• GE’s Vector DTM 1.00.0,
• GE’s SVi1000 Positioner DTM 1.00.0,
• GE’s SVI II AP Positioner DTM 2.00.1, and
• GE’s 12400 Level Transmitter DTM 1.00.0.

The vulnerability causes a buffer overflow in the HART Device DTM crashing the Field Device Tool (FDT) Frame Application. The Frame Application must then restart. The Frame Application primarily sees use for remote configuration. Exploitation of this vulnerability does not result in loss of information, control, or view by the control system of the HART devices on the 4-20 mA HART Loop.

An attacker could exploit the buffer overflow exploited to execute arbitrary code on the system running the Frame Application. The researcher has provided proof of concept to ICS-CERT and the vendor. The updated HART Device DTM provided by the GE and MACTek will resolve this issue. Successful exploitation requires the Frame Application is running and connected to a DTM-configured HART-based device at the time of the exploit.

GE is a U.S.-based company that maintains offices in several countries around the world. MACTek is a US-based company headquartered in Ohio.

The affected product is the DTM library used by GE and MACTek HART-based field devices in the FDT/DTM Frame Application. According to MACTek and GE, these products see action across multiple critical infrastructure sectors. MACTek and GE said these products see use worldwide.

Successful injection of specially crafted packets to the Device DTM causes a buffer overflow condition in the Frame Application. The FDT Frame Application becomes unresponsive, and the Device DTM stops functioning. Overflow involved could end up used to execute arbitrary code on the system running the Frame Application.

CVE-2014-9203 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.8.

This exploit on the FDT/DTM Frame Application is possible from any adjacent network that receives or passes packets from the HART Device DTM.

No known public exploits specifically target this vulnerability.

This is a complex vulnerability. Crafting a working exploit for this vulnerability would be difficult. Compromised access that allows access to the packets transmitted to Frame Application is mandatory for exploitation. This exploit also requires a specific timing to crash the Frame Application. This increases the difficulty of a successful exploit.

GE has released an advisory and update addressing the GE HART Device DTMs.

Click here to download the GE update.

Click here for the MACTek update.

The updated DTM versions are as follows:
• Bullet DTM 1.00.1,
• Vector DTM 1.00.1,
• SVi1000 DTM 1.00.1,
• SVI II AP Positioner DTM 2.10.1, and
• 12400 DTM 1.00.1.

Device DTM software with the identified vulnerable versions listed as impacted should end up used only within an offline secure network until patched. Performing configuration changes should occur in a nonproduction environment where there could be proper testing and risk evaluation. ICS-CERT recommends asset owners employ a least privilege practice and avoid unnecessary services within their production environment.

Some processes may require continual configuration changes. ICS-CERT recommends asset owners maintain all software with the latest security releases, limit connections outside the control process, and monitor approved connections for suspicious traffic.

Leave a Reply

You must be logged in to post a comment.