Endress+Hauser HART Device DTM Vulnerability
Low RiskICS-CERT ICSA-15-237-01May 28, 2015
Water
Summary
Endress+Hauser HART Device DTM (Device Type Manager) contains an improper input validation vulnerability (CWE-20) affecting HART-enabled process measurement devices used in water systems. The vulnerability allows manipulation of device parameter data through HART communication. Affected products include pressure transmitters (Cerabar, Deltabar, Deltapilot), flow meters (Promag, Promass, Prosonic, Prowirl), level transmitters (Levelflex, Micropilot), temperature sensors (iTemp, Omnigrad, Prothermo), and analytics systems (Liquiline, Liquisys) manufactured by Endress+Hauser. Firmware and software versions from approximately 2010 through 2015 are affected across more than 100 product variants.
What this means
What could happen
An attacker with network access to a HART device could send malformed input data to cause the device to accept invalid parameter values or enter an error state, potentially degrading measurement accuracy, triggering false alarms, or disrupting process control loops that rely on sensor readings for treatment decisions.
Who's at risk
Water utilities operating Endress+Hauser HART-enabled measurement and analytics instrumentation should assess exposure. This includes operators of pressure transmitters in transmission and treatment systems, flow meters in distribution networks, level sensors in storage tanks and basins, temperature monitoring in heated processes, and conductivity/pH analyzers in treatment plants. Municipal water authorities with automation systems integrating these devices via HART protocol are directly impacted.
How it could be exploited
An attacker reachable on the HART network segment (either via direct connection to process instrumentation or through a compromised field device gateway) can craft and transmit specially formatted HART protocol messages containing invalid parameter values. The vulnerable firmware does not properly validate input before applying these parameters to the device, allowing the attacker to corrupt sensor configuration or force a device malfunction without credentials.
Prerequisites
- Network access to HART communication bus or field network segment where vulnerable devices are deployed
- Ability to send HART protocol frames to the target device address
- No authentication or valid credentials required
No patch available for majority of affected productsAffects critical measurement devices (pressure, flow, level, temperature)Remotely exploitable if HART network is routableNo authentication requiredLow exploitation complexity
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (224)
184 pending40 EOL
ProductAffected VersionsFix Status
Liquiline pHORP / CM 42 / HART: FW_2.01.zz_/_Dev.Rev._1FW 2.01.zz / Dev.Rev. 1No fix yet
Liquiport / CSPxx / HART: FW_01.02.zz_/_Dev.Rev.1FW 01.02.zz / Dev.Rev.1No fix yet
Liquistation / CSFxx / HART: FW_01.02.zz_/_Dev.Rev.1FW 01.02.zz / Dev.Rev.1No fix yet
Liquiline M pH-ORP / CM 42: V10.04.07V10.04.07No fix (EOL)
Liquiline M pH-ORP / CM 42: V10.04.xxV10.04.xxNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDDisable HART remote parameter writing where not operationally required; use engineering workstations with physical or role-based access controls for configuration changes
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: Liquiline M pH-ORP / CM 42: V10.04.07, Liquiline M pH-ORP / CM 42: V10.04.xx, Liquiline Oxygen / CM 42 / HART: FW_2.01.zz_/_Dev.Rev._1, Cerabar M / PMx 4x: >=V1.0|<=1.2, Cerabar S / PMx 7x / HART: FW_2.20.zz_/_Dev.Rev._22, Deltabar M 5x / PMD 55: V1.00.xx, Deltapilot S / DB 5x: V2.0, Promag / 10: >=V1.00.00|<=V1.00.02, Promag / 10: V1.01.00, Promag / 50 / HART: FW_2.04.zz_/_Dev.Rev._9, Promag / 50: V1.02.0x, Promag / 50: V1.04.0x, Promass / 40: V1.02.0x, Promass / 40: V1.04.0x, Promass / 40: V1.05.0x, Promass / 40: V1.06.0x, Promass / 40: V2.00.0x, Promass / 40: V2.01.0x, Prosonic Flow / 90: V1.04.0x, Prosonic Flow / 90: V1.06.0x, Prosonic Flow / 90: V2.00.0x, Prosonic Flow / 90: V2.01.0x, Prowirl / 70: V1.1.01, Liquiline M pH-ORP / CM 42: V10.05.xx, Liquiline M pH-ORP / CM 42 / HART: FW_10.06.zz_/_Dev.Rev._0D, Liquiline M pH-ORP / CM 42 / HART: FW_10.07.zz_/_Dev.Rev._0E, Liquiline M pH-ORP / CM 42: V10.02.xx, Cerabar S / PMx 7x: V01.00, Cerabar S / PMx 7x: V02.00, Cerabar S / PMx 7x: V02.10.xx, Deltapilot S / DB 5x: V1.x, Promag / 10: V1.02.00, Promag / 10: V1.03.00, Promag / 50: V1.06.0x, Promag / 50: V2.00.00, Promag / 50: V2.01.xx, Promag / 50: V2.02.xx, Promag / 50: V2.03.xx, Promass / 40: V2.02.0x, Promass / 40: V3.01.0x. Apply the following compensating controls:
HARDENINGIsolate HART network segments from untrusted networks using network segmentation and firewalls; restrict access to HART gateways and field device integration points
HARDENINGMonitor HART network traffic for malformed or anomalous parameter write commands targeting process instruments
HARDENINGDocument all vulnerable device serial numbers, locations, and model numbers for end-of-life replacement planning
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/1750b4a5-87d5-4852-80c9-4203b4fbb13fGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.