Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Library Flaw Could Crash HART-Based ICS Field Devices

A vulnerability has been identified in a library utilized by many manufacturing and technology companies for HART-based field devices used by industrial control systems (ICS) operators.

A vulnerability has been identified in a library utilized by many manufacturing and technology companies for HART-based field devices used by industrial control systems (ICS) operators.

An improper input vulnerability affecting the CodeWrights HART Device Type Manager (DTM) library was identified by Alexander Bolshev and Gleb Cherbov, researchers at Russia-based Digital Security.

Emerson Process Management has been using the library in its Rosemount, Micro Motion and Fisher Control products. After CodeWrights addressed the vulnerability with a new version of the library, Emerson released Rosemount 644 Temperature Transmitter Rev. 8, DTM version 1.4.181, which addresses the flaw in all affected products, the company said in a security advisory.

Bolshev has confirmed to SecurityWeek that the vulnerability has been fixed in the Rosemount 644 Temperature Transmitter Rev. 8, DTM version 1.4.181. However, the expert says he and his colleagues plan on running complete tests — which could take several weeks — to make sure the bug is properly patched.

RelatedRegister Your Interest in the ICS Cyber Security Conference

According to the researcher, this is a medium or low risk vulnerability that can be exploited by an attacker with physical access to the targeted system.

“To trigger the vulnerability, the attacker should have an ability to alter the packet on the way from the field device to the DTM component. How it could be done depends on the actual ICS infrastructure. E.g. this could be done by MiTMing the field device on the HART current loop (if the attacker has access to it) or forging the packet when it’s going through gateways to the DTM component,” Bolshev explained.

Attacking vulnerable DTM through current-loop line

“The actual impact of the vulnerability is the Denial of Service of the DTM component, FDT frame application and other DTM components in the same container,” the researcher said. “Based on the real infrastructure, the restart of the FDT [Field Device Tool] Frame application or rebooting the server with the FDT Frame may be needed to recover the system.” 

Advertisement. Scroll to continue reading.

Emerson noted in its advisory that exploitation of this vulnerability will not result in loss of information, or loss of control. The company has pointed out that since an attacker requires access to the HART loop, adequate physical protection prevents exploitation of the security flaw.

An advisory published by ICS-CERT initially stated that exploits for this vulnerability were publicly available, but Bolshev said his team has not made any of the exploits public yet. Proof-of-concept exploits will be made available only after all affected vendors address the flaw.

ICS-CERT has not responded to SecurityWeek’s email seeking clarifications regarding the exploit, but the organization has updated its advisory to say that “no known public exploits specifically target this vulnerability.”

DTM component vulnerabilities

The FDT/DTM specification enables ICS operators to configure, monitor and maintain field devices from a single software system regardless of model, type or the industrial protocol they use. The problem is that DTM components rely on various technologies (OLE32, ActiveX, Visual Basic 6.0, .NET, COM and XML) that make them vulnerable to cyberattacks.

At the 2014 Black Hat Europe security conference, Bolshev and Cherbov reported uncovering a total of 32 vulnerable DTM components from 24 vendors. The DTM components analyzed by the experts are used for more than 750 devices that rely on the Highway Addressable Remote Transducer (HART) protocol, which enables communications over a standard 4-20 mA current loop.

Bolshev says so far they have notified roughly three quarters of the affected companies and most of them have responded.

*Updated: ICS-CERT updated its advisory to state that no known public exploits specifically target this vulnerability

Related: Learn More at the 2015 ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.