2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
28.3%
This updated advisory is a follow-up to the original advisory titled ICSA-15-008-01 Emerson HART DTM Vulnerability that was published January 8, 2015, on the NCCIC/ICS-CERT web site.
Alexander Bolshev of Digital Security has identified an improper input vulnerability in the CodeWrights HART Device Type Manager (DTM) library utilized in Emerson’s HART DTM. CodeWrights has addressed the vulnerability with a new library, which Emerson has begun to integrate. Emerson has tested the new library to validate that it resolves the vulnerability.
No known public exploits specifically target this vulnerability.
The following products use the vulnerable HART DTM library and are affected:
The vulnerability causes the HART DTM component to crash and also causes the HART service to stop responding. No loss of information or loss of control or view by the control system results from an attacker successfully exploiting this vulnerability.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Emerson Process Management is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.
The affected products are HART-based field devices. According to Emerson, these products are deployed across multiple critical infrastructure sectors. Emerson estimates that these products are used worldwide.
By sending specially crafted response packets directly on the 4-20 mA current loop, the DTM component stops functioning and Field Device Tool (FDT) Frame application becomes unresponsive. A manipulated HART device and physical network access is required to exploit this vulnerability
CVE-2014-9191NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9191, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 1.8 has been assigned; the CVSS vector string is (AV:A/AC:H/Au:N/C:N/I:N/A:P).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:A/AC:H/Au:N/C:N/I:N/A:P, web site last accessed January 08, 2014.
Physical network access is required to exploit this vulnerability.
No known public exploits specifically target this vulnerability.
Crafting a working exploit for this vulnerability would be difficult. Physical access to the 4 mA to 20 mA current loop is required in conjunction with a connected HART device modified to send crafted packets. The exploit also requires specific timing for the spoofed response. This decreases the likelihood of a successful exploit.
Emerson updated the HART DTM for the Rosemount 644 Temperature Transmitter Rev. 8, DTM Version 1.4.181 on November 17, 2014. Installing this DTM will resolve the vulnerability for all the impacted Emerson products listed above. Emerson recommends downloading the updated DTM from its web site:
An attacker would require physical access to the HART loop in order to execute this attack. The vulnerability is exploited by connecting a rogue device to the HART loop and sending malformed data to the frame. If the end user has adequate physical protection of the HART loop in place, exploitation is not possible. Field devices and WirelessHART installations are unaffected. Emerson recommends having physical protection of the end users’ entire infrastructure.
More details can be found at Emerson’s advisory located:
http://www2.emersonprocess.com/siteadmincenter/PM Central Web Documents/EMR EPM14001-1.pdf
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
www2.emersonprocess.com/en-US/documentation/deviceinstallkits/Pages/deviceinstallkitsearch.aspx
www2.emersonprocess.com/siteadmincenter/PM%20Central%20Web%20Documents/EMR%20EPM14001-1.pdf
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Emerson%20HART%20DTM%20Vulnerability%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-advisories/icsa-15-008-01a
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-15-008-01a&title=Emerson%20HART%20DTM%20Vulnerability%20%28Update%20A%29
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-15-008-01a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-15-008-01a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Emerson%20HART%20DTM%20Vulnerability%20%28Update%20A%29&body=www.cisa.gov/news-events/ics-advisories/icsa-15-008-01a