Endress+Hauser HART Device DTM Vulnerability

Low RiskICS-CERT ICSA-15-237-01May 28, 2015

Summary

Endress+Hauser HART Device DTM (Device Type Manager) contains an improper input validation vulnerability (CWE-20) affecting HART-enabled process measurement devices used in water systems. The vulnerability allows manipulation of device parameter data through HART communication. Affected products include pressure transmitters (Cerabar, Deltabar, Deltapilot), flow meters (Promag, Promass, Prosonic, Prowirl), level transmitters (Levelflex, Micropilot), temperature sensors (iTemp, Omnigrad, Prothermo), and analytics systems (Liquiline, Liquisys) manufactured by Endress+Hauser. Firmware and software versions from approximately 2010 through 2015 are affected across more than 100 product variants.

What this means

What could happen

An attacker with network access to a HART device could send malformed input data to cause the device to accept invalid parameter values or enter an error state, potentially degrading measurement accuracy, triggering false alarms, or disrupting process control loops that rely on sensor readings for treatment decisions.

Who's at risk

Water utilities operating Endress+Hauser HART-enabled measurement and analytics instrumentation should assess exposure. This includes operators of pressure transmitters in transmission and treatment systems, flow meters in distribution networks, level sensors in storage tanks and basins, temperature monitoring in heated processes, and conductivity/pH analyzers in treatment plants. Municipal water authorities with automation systems integrating these devices via HART protocol are directly impacted.

How it could be exploited

An attacker reachable on the HART network segment (either via direct connection to process instrumentation or through a compromised field device gateway) can craft and transmit specially formatted HART protocol messages containing invalid parameter values. The vulnerable firmware does not properly validate input before applying these parameters to the device, allowing the attacker to corrupt sensor configuration or force a device malfunction without credentials.

Prerequisites

Network access to HART communication bus or field network segment where vulnerable devices are deployed
Ability to send HART protocol frames to the target device address
No authentication or valid credentials required

No patch available for majority of affected productsAffects critical measurement devices (pressure, flow, level, temperature)Remotely exploitable if HART network is routableNo authentication requiredLow exploitation complexity

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (224)

184 pending40 EOL

ProductAffected VersionsFix Status

Liquiline pHORP / CM 42 / HART: FW_2.01.zz_/_Dev.Rev._1FW 2.01.zz / Dev.Rev. 1No fix yet

Liquiport / CSPxx / HART: FW_01.02.zz_/_Dev.Rev.1FW 01.02.zz / Dev.Rev.1No fix yet

Liquistation / CSFxx / HART: FW_01.02.zz_/_Dev.Rev.1FW 01.02.zz / Dev.Rev.1No fix yet

Liquiline M pH-ORP / CM 42: V10.04.07V10.04.07No fix (EOL)

Liquiline M pH-ORP / CM 42: V10.04.xxV10.04.xxNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDisable HART remote parameter writing where not operationally required; use engineering workstations with physical or role-based access controls for configuration changes

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: Liquiline M pH-ORP / CM 42: V10.04.07, Liquiline M pH-ORP / CM 42: V10.04.xx, Liquiline Oxygen / CM 42 / HART: FW_2.01.zz_/_Dev.Rev._1, Cerabar M / PMx 4x: >=V1.0|<=1.2, Cerabar S / PMx 7x / HART: FW_2.20.zz_/_Dev.Rev._22, Deltabar M 5x / PMD 55: V1.00.xx, Deltapilot S / DB 5x: V2.0, Promag / 10: >=V1.00.00|<=V1.00.02, Promag / 10: V1.01.00, Promag / 50 / HART: FW_2.04.zz_/_Dev.Rev._9, Promag / 50: V1.02.0x, Promag / 50: V1.04.0x, Promass / 40: V1.02.0x, Promass / 40: V1.04.0x, Promass / 40: V1.05.0x, Promass / 40: V1.06.0x, Promass / 40: V2.00.0x, Promass / 40: V2.01.0x, Prosonic Flow / 90: V1.04.0x, Prosonic Flow / 90: V1.06.0x, Prosonic Flow / 90: V2.00.0x, Prosonic Flow / 90: V2.01.0x, Prowirl / 70: V1.1.01, Liquiline M pH-ORP / CM 42: V10.05.xx, Liquiline M pH-ORP / CM 42 / HART: FW_10.06.zz_/_Dev.Rev._0D, Liquiline M pH-ORP / CM 42 / HART: FW_10.07.zz_/_Dev.Rev._0E, Liquiline M pH-ORP / CM 42: V10.02.xx, Cerabar S / PMx 7x: V01.00, Cerabar S / PMx 7x: V02.00, Cerabar S / PMx 7x: V02.10.xx, Deltapilot S / DB 5x: V1.x, Promag / 10: V1.02.00, Promag / 10: V1.03.00, Promag / 50: V1.06.0x, Promag / 50: V2.00.00, Promag / 50: V2.01.xx, Promag / 50: V2.02.xx, Promag / 50: V2.03.xx, Promass / 40: V2.02.0x, Promass / 40: V3.01.0x. Apply the following compensating controls:

HARDENINGIsolate HART network segments from untrusted networks using network segmentation and firewalls; restrict access to HART gateways and field device integration points

HARDENINGMonitor HART network traffic for malformed or anomalous parameter write commands targeting process instruments

HARDENINGDocument all vulnerable device serial numbers, locations, and model numbers for end-of-life replacement planning

CVEs (1)

CVE-2014-9191

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1750b4a5-87d5-4852-80c9-4203b4fbb13f