Security Experts:

Connect with us

Hi, what are you looking for?



Library Flaw Could Crash HART-Based ICS Field Devices

A vulnerability has been identified in a library utilized by many manufacturing and technology companies for HART-based field devices used by industrial control systems (ICS) operators.

A vulnerability has been identified in a library utilized by many manufacturing and technology companies for HART-based field devices used by industrial control systems (ICS) operators.

An improper input vulnerability affecting the CodeWrights HART Device Type Manager (DTM) library was identified by Alexander Bolshev and Gleb Cherbov, researchers at Russia-based Digital Security.

Emerson Process Management has been using the library in its Rosemount, Micro Motion and Fisher Control products. After CodeWrights addressed the vulnerability with a new version of the library, Emerson released Rosemount 644 Temperature Transmitter Rev. 8, DTM version 1.4.181, which addresses the flaw in all affected products, the company said in a security advisory.

Bolshev has confirmed to SecurityWeek that the vulnerability has been fixed in the Rosemount 644 Temperature Transmitter Rev. 8, DTM version 1.4.181. However, the expert says he and his colleagues plan on running complete tests — which could take several weeks — to make sure the bug is properly patched.

RelatedRegister Your Interest in the ICS Cyber Security Conference

According to the researcher, this is a medium or low risk vulnerability that can be exploited by an attacker with physical access to the targeted system.

“To trigger the vulnerability, the attacker should have an ability to alter the packet on the way from the field device to the DTM component. How it could be done depends on the actual ICS infrastructure. E.g. this could be done by MiTMing the field device on the HART current loop (if the attacker has access to it) or forging the packet when it’s going through gateways to the DTM component,” Bolshev explained.

Attacking vulnerable DTM through current-loop line

“The actual impact of the vulnerability is the Denial of Service of the DTM component, FDT frame application and other DTM components in the same container,” the researcher said. “Based on the real infrastructure, the restart of the FDT [Field Device Tool] Frame application or rebooting the server with the FDT Frame may be needed to recover the system.” 

Emerson noted in its advisory that exploitation of this vulnerability will not result in loss of information, or loss of control. The company has pointed out that since an attacker requires access to the HART loop, adequate physical protection prevents exploitation of the security flaw.

An advisory published by ICS-CERT initially stated that exploits for this vulnerability were publicly available, but Bolshev said his team has not made any of the exploits public yet. Proof-of-concept exploits will be made available only after all affected vendors address the flaw.

ICS-CERT has not responded to SecurityWeek’s email seeking clarifications regarding the exploit, but the organization has updated its advisory to say that “no known public exploits specifically target this vulnerability.”

DTM component vulnerabilities

The FDT/DTM specification enables ICS operators to configure, monitor and maintain field devices from a single software system regardless of model, type or the industrial protocol they use. The problem is that DTM components rely on various technologies (OLE32, ActiveX, Visual Basic 6.0, .NET, COM and XML) that make them vulnerable to cyberattacks.

At the 2014 Black Hat Europe security conference, Bolshev and Cherbov reported uncovering a total of 32 vulnerable DTM components from 24 vendors. The DTM components analyzed by the experts are used for more than 750 devices that rely on the Highway Addressable Remote Transducer (HART) protocol, which enables communications over a standard 4-20 mA current loop.

Bolshev says so far they have notified roughly three quarters of the affected companies and most of them have responded.

*Updated: ICS-CERT updated its advisory to state that no known public exploits specifically target this vulnerability

Related: Learn More at the 2015 ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.