Fieldcomm Group HART-IP and hipserver
Act Now9.8ICS-CERT ICSA-20-287-04Oct 13, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A buffer overflow vulnerability in hipserver and HART-IP software allows remote code execution or denial of service. The vulnerability is reachable over the network without authentication and can crash the device or allow an attacker to run arbitrary commands on systems that handle HART-based field instrument communication.
What this means
What could happen
A remote attacker could crash the hipserver or HART-IP device or execute arbitrary code on it, potentially disrupting process control or data communication in HART-based instrumentation networks.
Who's at risk
Water and electric utilities that use Fieldcomm Group HART-IP communication for remote field instrumentation monitoring and diagnostics, including facilities using hipserver for data collection from HART-connected sensors and transmitters.
How it could be exploited
An attacker with network access to the hipserver or HART-IP device could send a specially crafted message that triggers a buffer overflow in the software. This allows the attacker to run commands directly on the device without needing a username or password.
Prerequisites
- Network access to the hipserver or HART-IP device (typically port 5094 for HART-IP)
- No credentials required
Remotely exploitableNo authentication requiredLow complexityBuffer overflow (CWE-121)Affects instrumentation communication
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (2)
1 with fix1 EOL
ProductAffected VersionsFix Status
hipserver: Release 3.6.13.6.13.7.0
HART-IP Developer kit: Release 1.0.0.01.0.0.0No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1HARDENINGRestrict network access to hipserver and HART-IP devices—place them behind a firewall and do not expose to the Internet
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpgrade hipserver to version 3.7.0 or later
WORKAROUNDIf remote access is required, use a VPN with current security patches
Mitigations - no patch available
0/1HART-IP Developer kit: Release 1.0.0.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate HART-based instrumentation networks from business networks to limit attacker reach
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d7377049-a19b-4be4-b010-58047efe05b6