Magnetrol HART DTM Vulnerability

Low RiskICS-CERT ICSA-15-027-01Oct 30, 2015

Summary

Magnetrol HART DTM (Device Type Manager) devices with various firmware versions contain an input validation weakness (CWE-20) that could allow improper data handling through HART protocol communication. Affected products include Eclipse Model 705 Guided Wave Radar transmitter (Firmware 3.x), Echotel Model 355 Ultrasonic transmitter (Firmware 1.x), Model R82 Pulse Burst Radar Transmitter (firmware versions 1.x and 2.x), and Thermatel Model TA2 Thermal Mass Flowmeter (Firmware 2.x). The vendor has not released patches for any affected product.

What this means

What could happen

An attacker could send malformed HART protocol commands to these transmitters, potentially causing incorrect sensor readings or device malfunction that could disrupt process monitoring and control in water and industrial applications.

Who's at risk

Water treatment plants and municipal utilities using Magnetrol HART transmitters for level, flow, or temperature measurement should care. This affects distributed process instrumentation—specifically guided wave radar level transmitters (Eclipse 705), ultrasonic transmitters (Echotel 355), pulse radar transmitters (Model R82), and thermal mass flowmeters (Thermatel TA2)—that feed data into SCADA or local control systems.

How it could be exploited

An attacker with network access to the HART communication path (either directly or through a process control network) could send specially crafted input data via HART protocol to the transmitter. The lack of input validation would allow this malformed data to be processed, potentially causing the device to misreport measurements or stop responding correctly to legitimate control commands.

Prerequisites

Network access to HART protocol communications (typically on 4-20mA loop or HART gateway)
Ability to craft and send HART protocol messages to the affected transmitter

No patch availableAffects instrumentation/sensor systemsLow complexity exploitation

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

Eclipse Model 705 Guided Wave Radar transmitter: Firmware__3.xFirmware 3.xNo fix (EOL)

Echotel Model 355 Ultrasonic transmitter: Firmware__1.xFirmware 1.xNo fix (EOL)

Model R82 Pulse Burst Radar Transmitter: 1.x|2.x1.x|2.xNo fix (EOL)

Thermatel Model TA2 Thermal Mass Flowmeter: Firmware__2.xFirmware 2.xNo fix (EOL)

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDDeploy a HART gateway with input validation or monitoring capability to filter and validate HART protocol messages before they reach transmitters

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: Eclipse Model 705 Guided Wave Radar transmitter: Firmware__3.x, Echotel Model 355 Ultrasonic transmitter: Firmware__1.x, Model R82 Pulse Burst Radar Transmitter: 1.x|2.x, Thermatel Model TA2 Thermal Mass Flowmeter: Firmware__2.x. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate HART transmitters on a separate instrument network with access controls and firewall rules limiting communication to only authorized engineering workstations and PLC/control systems

HARDENINGMonitor HART devices for unexpected behavior, malformed responses, or communication errors that could indicate exploitation attempts

HARDENINGContact Magnetrol to confirm whether newer firmware versions or product lines are available that address this input validation issue

CVEs (1)

CVE-2014-9191

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6bfa89c6-66d2-4ffc-b050-1230e3c713bc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.