Endress+Hauser Fieldcare/CodeWrights HART Comm DTM XML Injection Vulnerability

Plan Patch8.3ICS-CERT ICSA-15-267-01Jun 27, 2015

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Endress+Hauser Fieldcare and CodeWrights HART Comm DTM software contain an XML injection vulnerability (CWE-91) in their device management interface. All versions are affected. The vulnerability allows an attacker on the process network to inject malicious XML into communications with HART field instruments, potentially executing code or modifying device configurations. The vendor has not released a patch and does not plan to address this issue.

What this means

What could happen

An attacker with access to your process automation network could inject malicious XML into HART device management communications, allowing them to execute arbitrary code or alter device configurations that control field instruments and process parameters.

Who's at risk

This affects any water, wastewater, electric, or gas utility using Endress+Hauser HART field instruments (transmitters, analyzers, positioners) with Fieldcare or CodeWrights DTM software for device configuration and monitoring. HART Comm DTMs are commonly used to calibrate and manage intelligent instruments across process control systems.

How it could be exploited

An attacker on your plant network sends a specially crafted XML payload to a Fieldcare or CodeWrights HART Comm DTM instance. The XML parser does not properly validate the input, allowing the injection of executable code or configuration changes that propagate to connected HART instruments (flow meters, pressure transmitters, valve positioners, etc.).

Prerequisites

Network access to the Fieldcare/CodeWrights HART Comm DTM device or workstation on the process network
The DTM must be actively receiving or processing HART communications

remotely exploitablelow complexityno patch availableaffects field device configuration

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

All HART DTM components relying on Fieldcare and CodeWrights HART Comm DTM: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to Fieldcare and CodeWrights HART Comm DTM instances using firewall rules; allow only authorized engineering workstations and control systems to communicate with these components

HARDENINGSegment your process automation network (HART devices and DTM tools) from general IT and remote access networks using air-gapping or VLANs with strict access control lists

WORKAROUNDValidate and sanitize all input to HART device management tools at your network perimeter before it reaches DTM instances

Mitigations - no patch available

0/1

All HART DTM components relying on Fieldcare and CodeWrights HART Comm DTM: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor and log all XML traffic to and from HART Comm DTM instances for signs of injection attempts or anomalous configuration changes

CVEs (1)

CVE-2015-6463

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/664f0089-548b-4921-a507-200dcf18602e