Security Experts:

Library Flaw Could Crash HART-Based ICS Field Devices

A vulnerability has been identified in a library utilized by many manufacturing and technology companies for HART-based field devices used by industrial control systems (ICS) operators.

An improper input vulnerability affecting the CodeWrights HART Device Type Manager (DTM) library was identified by Alexander Bolshev and Gleb Cherbov, researchers at Russia-based Digital Security.

Emerson Process Management has been using the library in its Rosemount, Micro Motion and Fisher Control products. After CodeWrights addressed the vulnerability with a new version of the library, Emerson released Rosemount 644 Temperature Transmitter Rev. 8, DTM version 1.4.181, which addresses the flaw in all affected products, the company said in a security advisory.

Bolshev has confirmed to SecurityWeek that the vulnerability has been fixed in the Rosemount 644 Temperature Transmitter Rev. 8, DTM version 1.4.181. However, the expert says he and his colleagues plan on running complete tests -- which could take several weeks -- to make sure the bug is properly patched.

RelatedRegister Your Interest in the ICS Cyber Security Conference

According to the researcher, this is a medium or low risk vulnerability that can be exploited by an attacker with physical access to the targeted system.

“To trigger the vulnerability, the attacker should have an ability to alter the packet on the way from the field device to the DTM component. How it could be done depends on the actual ICS infrastructure. E.g. this could be done by MiTMing the field device on the HART current loop (if the attacker has access to it) or forging the packet when it’s going through gateways to the DTM component,” Bolshev explained.

Attacking vulnerable DTM through current-loop line

“The actual impact of the vulnerability is the Denial of Service of the DTM component, FDT frame application and other DTM components in the same container," the researcher said. "Based on the real infrastructure, the restart of the FDT [Field Device Tool] Frame application or rebooting the server with the FDT Frame may be needed to recover the system.” 

Emerson noted in its advisory that exploitation of this vulnerability will not result in loss of information, or loss of control. The company has pointed out that since an attacker requires access to the HART loop, adequate physical protection prevents exploitation of the security flaw.

An advisory published by ICS-CERT initially stated that exploits for this vulnerability were publicly available, but Bolshev said his team has not made any of the exploits public yet. Proof-of-concept exploits will be made available only after all affected vendors address the flaw.

ICS-CERT has not responded to SecurityWeek's email seeking clarifications regarding the exploit, but the organization has updated its advisory to say that "no known public exploits specifically target this vulnerability."

DTM component vulnerabilities

The FDT/DTM specification enables ICS operators to configure, monitor and maintain field devices from a single software system regardless of model, type or the industrial protocol they use. The problem is that DTM components rely on various technologies (OLE32, ActiveX, Visual Basic 6.0, .NET, COM and XML) that make them vulnerable to cyberattacks.

At the 2014 Black Hat Europe security conference, Bolshev and Cherbov reported uncovering a total of 32 vulnerable DTM components from 24 vendors. The DTM components analyzed by the experts are used for more than 750 devices that rely on the Highway Addressable Remote Transducer (HART) protocol, which enables communications over a standard 4-20 mA current loop.

Bolshev says so far they have notified roughly three quarters of the affected companies and most of them have responded.

*Updated: ICS-CERT updated its advisory to state that no known public exploits specifically target this vulnerability

Related: Learn More at the 2015 ICS Cyber Security Conference

view counter