Honeywell HART DTM Vulnerability

Low RiskICS-CERT ICSA-15-029-01Nov 1, 2015

Summary

Honeywell HART DTM (Device Type Manager) vulnerability affecting multiple HART 5 and HART 6 transmitter models. The vulnerability involves improper input validation (CWE-20) in the DTM software used to configure and manage these devices. No technical details of the specific attack vector are provided in the original advisory.

What this means

What could happen

An attacker could send malformed input to a HART transmitter's DTM configuration interface, potentially causing the device to malfunction or stop reporting critical process measurements such as pressure, temperature, or flow rate to your control system.

Who's at risk

Water and electric utilities, petrochemical facilities, and other process industries that rely on Honeywell HART 5 or HART 6 transmitters (pressure, temperature, flow, and level measurement devices) for critical instrumentation and control. Any facility using STT25T, STT25H, STT25S, or ST 3000 series HART transmitters is affected.

How it could be exploited

An attacker would need network access to the engineering workstation or control system network where the HART DTM software is running. They would craft malformed input directed at the DTM interface or the transmitter device itself to trigger the input validation flaw and disrupt normal device operation.

Prerequisites

Network access to the HART transmitter or the engineering workstation running HART DTM software
Ability to send crafted input to the DTM configuration interface or transmitter port

No patch availableInput validation flaw (CWE-20)Affects critical measurement devicesLow exploit probability (0.1% EPSS)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (8)

8 EOL

ProductAffected VersionsFix Status

Honeywell STT25T HART 5 Transmitter: 1|21|2No fix (EOL)

Honeywell STT25H HART 5 Transmitter: 1|31|3No fix (EOL)

Honeywell STT25S HART 5 Transmitter: Rev._2Rev. 2No fix (EOL)

Honeywell ST 3000 HART 5 Transmitter: Rev._1Rev. 1No fix (EOL)

Honeywell ST 3000 HART 6 Transmitter: Rev._1Rev. 1No fix (EOL)

Honeywell ST 3000 H6 Transmitter with Advanced Diagnostics: Rev._1Rev. 1No fix (EOL)

Honeywell ST STT25H HART 5 Transmitter: Rev._1Rev. 1No fix (EOL)

Honeywell ST STT25S HART 6 Transmitter: Rev._1Rev. 1No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict network access to HART transmitters and engineering workstations running HART DTM to authorized personnel only; implement firewall rules to limit communication to trusted control system networks

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Honeywell STT25T HART 5 Transmitter: 1|2, Honeywell STT25H HART 5 Transmitter: 1|3, Honeywell STT25S HART 5 Transmitter: Rev._2, Honeywell ST 3000 HART 5 Transmitter: Rev._1, Honeywell ST 3000 HART 6 Transmitter: Rev._1, Honeywell ST 3000 H6 Transmitter with Advanced Diagnostics: Rev._1, Honeywell ST STT25H HART 5 Transmitter: Rev._1, Honeywell ST STT25S HART 6 Transmitter: Rev._1. Apply the following compensating controls:

HARDENINGDisable HART DTM remote configuration if not required for operations; require local, in-person access to configure transmitters where possible

HARDENINGMonitor HART device communications for unusual or malformed input patterns that may indicate exploitation attempts

CVEs (1)

CVE-2014-9191

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f6f6ec05-42fc-4231-aed0-946fd2ddecfb