Emerson HART DTM Vulnerability
Low RiskICS-CERT ICSA-15-008-01AOct 11, 2015
Summary
Multiple Emerson Rosemount, Fisher Controls, and Micro Motion instrumentation devices contain an improper input validation flaw in the HART protocol implementation. The vulnerability allows malformed HART commands to be processed without proper error handling, affecting dozens of transmitter models (pressure, temperature, level, flow), mass flow analyzers, valve controllers, and analytical sensors. No patches are available for any affected device.
What this means
What could happen
An attacker could send malformed HART commands to these transmitters, pressure sensors, flow meters, and valve controllers, potentially causing them to malfunction, report incorrect readings, or stop communicating with control systems. This could disrupt process monitoring and control in water treatment, power generation, or chemical processing facilities.
Who's at risk
Water utilities, electric utilities, and chemical/refining plants that use Rosemount, Fisher Controls, or Micro Motion instrumentation (transmitters, flow meters, level sensors, valve controllers) for process monitoring and control. Any facility relying on HART-enabled pressure transmitters, temperature sensors, flow meters, or mass energy flow devices is potentially affected.
How it could be exploited
An attacker with network access to a HART-enabled device (such as through an engineering workstation, modem, or HyperLAN connection) could send crafted HART protocol messages that bypass input validation. The device would process these malformed commands without proper error handling, leading to unexpected behavior or loss of functionality.
Prerequisites
- Network access to HART communication port or interface on the affected device
- Ability to send HART protocol messages to the device
- Device must be communicating via HART (no authentication required for HART protocol itself)
No patch available for any affected deviceAffects critical instrumentation (transmitters, flow meters, valve controllers)CWE-20 improper input validationAll instrumentation devices remain vulnerable indefinitelyWide range of Emerson and Rosemount products affected
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (57)
57 pending
ProductAffected VersionsFix Status
Rosemount 3051SMV MultiVariable Mass Energy Flow: Rev._1Rev. 1No fix yet
Rosemount 3095M MultiVariable Mass Flow: Rev._2Rev. 2No fix yet
Rosemount 3100 Ultrasonic Level Transmitter: Rev._5Rev. 5No fix yet
Rosemount 3144P Temperature Transmitter: 3|4|5|63|4|5|6No fix yet
Rosemount 3300 Radar Level and Interface Transmitter: Rev._3Rev. 3No fix yet
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDFirewall rules: Restrict HART communication to only authorized engineering workstations and control system gateways using port filtering if HART is tunneled over Ethernet/TCP-IP
WORKAROUNDReview and restrict physical/dial-up access: If HART devices have modems or remote maintenance ports, disable or restrict these unless actively needed
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
WORKAROUNDContact Emerson for security guidance: Since no patches are available, work with the vendor on compensating controls specific to your installed devices
Long-term hardening
0/2HARDENINGNetwork segmentation: Isolate HART-enabled devices on a dedicated instrumentation network with restricted access from engineering workstations and control system networks
HARDENINGMonitor HART communications: Enable logging of HART protocol traffic to detect anomalous commands
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/713eebdd-022b-48d5-86dc-b20467e09cd7