Yokogawa HART Device DTM Vulnerability
Low RiskICS-CERT ICSA-15-048-03Nov 20, 2015
Yokogawa
Summary
Yokogawa HART Device DTM (Device Type Manager) contains a buffer overflow vulnerability (CWE-120) affecting magnetic flowmeters, pressure transmitters, temperature transmitters, and various transmitter/analyzer modules. The vulnerability exists in HART protocol device type manager software that communicates with these instruments. Affected product lines include ADMAG series flowmeters, EJA/EJX pressure transmitters, YTA temperature transmitters, and numerous analyzer/converter modules across multiple revisions. No vendor patch is available for any affected device.
What this means
What could happen
An attacker with access to the HART communication network could exploit a buffer overflow to crash instrumentation devices or potentially execute code, disrupting flow rate, pressure, and temperature measurements critical to process control and safety monitoring.
Who's at risk
Water and wastewater treatment plants, power generation facilities, and process manufacturing operations that rely on Yokogawa HART-based instrumentation for flow measurement (magnetic flowmeters, vortex meters, Coriolis mass meters), pressure/differential pressure sensing, temperature monitoring, and quality analysis. Specifically affects ADMAG, EJA, EJX, YTA, ROTAMASS, and analyzer module lines (DO202, PH450, SC450, ZR402, ISC450, etc.) used in water quality and process monitoring.
How it could be exploited
An attacker with network access to HART-enabled instruments would craft a malformed HART protocol message targeting the device type manager software. When the device processes this message, the buffer overflow could be triggered, potentially allowing arbitrary code execution or device crash, disrupting measurement and control signals in the process.
Prerequisites
- Network access to HART communication devices or gateway
- HART protocol connectivity to affected instruments
- Knowledge of target device model and revision
No patch availableAffects measurement/sensing systems (flowmeters, pressure/temperature transmitters)Buffer overflow vulnerability (low complexity to exploit once vector identified)
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (30)
5 pending25 EOL
ProductAffected VersionsFix Status
Dpharp EJA /EJA-A Series Pressure Transmitters/Differential PressureTransmitters: Rev.1|Rev.2|Rev.3Rev.1|Rev.2|Rev.3No fix yet
Dpharp EJX Series Pressure Transmitters/Differential PressureTransmitters: Rev.1|Rev.2|Rev.3Rev.1|Rev.2|Rev.3No fix yet
EJX Multivariable Transmitters(EJX910A/EJX930A): Rev.1|Rev.2Rev.1|Rev.2No fix yet
ADMAG AE Series Magnetic Flowmeters (AE/AE14): Rev.1|Rev.2Rev.1|Rev.2No fix (EOL)
ADMAG SE Series Magnetic Flowmeters (SE/SE14): Rev.1|Rev.2Rev.1|Rev.2No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1HARDENINGImplement HART network segmentation: restrict HART gateway/protocol access to trusted engineering workstations and control systems only, using network firewalls or managed switches with port filtering
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGMonitor HART communication for anomalous protocol messages or device resets using available network monitoring tools
HARDENINGDocument all affected Yokogawa instruments in your inventory by model and revision for tracking and future remediation planning
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: ADMAG AE Series Magnetic Flowmeters (AE/AE14): Rev.1|Rev.2, ADMAG SE Series Magnetic Flowmeters (SE/SE14): Rev.1|Rev.2, AM11 Magnetic Flowmeter Remote Converter: Rev.1, AXFA11 Magnetic Flowmeter Remote Converter: Rev.1, ADMAG AXF Series Magnetic Flowmeters (AXF/AXFA14): Rev.1, ADMAG AXR Two-wire Magnetic Flowmeters: Rev.1|Rev.2, digitalYEWFLO Vortex Flowmeter: Rev.1|Rev.2|Rev.3|Rev.4, Rotameter: Rev.1, YEWFLO Vortex Flowmeter: Rev.1|Rev.2, YT200 Temperature Transmitters: Rev.1, YTA110/YTA310/YTA320 Temperature Transmitters: Rev.1|Rev.2|Rev.3, YTA70 Temperature Transmitters: Rev.1, AV550G: Rev.1, DO202: Rev.1, ISC450: Rev.1|Rev.2, PH150: Rev.1|Rev.2, PH202: Rev.1, PH450: Rev.1|Rev.2, SC150: Rev.1|Rev.2, SC450: Rev.1|Rev.2, ZR202: Rev.1, ZR402: Rev.1, Differential Pressure Transmitters: Rev.1, ISC202: Rev.1, SC202: Rev.1. Apply the following compensating controls:
HARDENINGContact Yokogawa technical support to confirm current product end-of-life status and determine long-term replacement timeline for unsupported revisions
HARDENINGPlan replacement or upgrade of affected instruments to newer revisions as part of normal capital equipment refresh cycles
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/585cf206-a507-4bcf-90b7-74fbce9ebb35Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.