Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                 Emerson HART DTM Vulnerability (Update A)
                              12 January 2015


        AusCERT Security Bulletin Summary

Product:           Emerson Hart DTM
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-9191  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSA-15-008-01A)

Emerson HART DTM Vulnerability (Update A)

Original release date: January 09, 2015

All information products included in http://ics-cert.us-cert.gov are provided 
"as is" for informational purposes only. The Department of Homeland Security 
(DHS) does not provide any warranties of any kind regarding any information 
contained within. DHS does not endorse any commercial product or service, 
referenced in this product or otherwise. Further dissemination of this product 
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see http://www.us-cert.gov/tlp/.


This updated advisory is a follow-up to the original advisory titled 
ICSA-15-008-01 Emerson HART DTM Vulnerability that was published January 8, 
2015, on the NCCIC/ICS-CERT web site.

Independent researcher Alexander Bolshev has identified an improper input 
vulnerability in the CodeWrights HART Device Type Manager (DTM) library 
utilized in Emerson's HART DTM. CodeWrights has addressed the vulnerability 
with a new library, which Emerson has begun to integrate. Emerson has tested 
the new library to validate that it resolves the vulnerability.

- --------- Begin Update A Part 1 of 2 --------
No known public exploits specifically target this vulnerability.
- --------- End Update A Part 1 of 2 ----------


The following products use the vulnerable HART DTM library and are affected:

    Fisher Controls DVC6000 Digital Valve Controller Rev. 2.01,
    Fisher Controls International DVC2000 Digital Valve Controller Rev. 1.01,
    Micro Motion 1500 Rev. 5 and 6,
    Micro Motion 1700 Analog Rev. 5 and 6,
    Micro Motion 1700 IS Rev. 6,
    Micro Motion 1700 Rev. 5,
    Micro Motion 1700IS Rev. 5,
    Micro Motion 2000 Config I/O Rev. 5,
    Micro Motion 2200S Rev. 1,
    Micro Motion 2400S Analog Rev. 2, 3, and 4,
    Micro Motion 2500/2700 Config I/O Rev. 5 and 6,
    Micro Motion 2700 Analog Rev. 5 and 6,
    Micro Motion 2700 IS Rev. 5 and 6,
    Micro Motion RFT9739 Rev. 4,
    Micro Motion Series 3000 Rev. 7,
    Rosemount 1151 Pressure Transmitter Rev. 5 and 6,
    Rosemount 2051 Pressure Transmitter Rev. 3, 9, and 10,
    Rosemount 2088 Pressure Transmitter Rev. 3, 9, and 10,
    Rosemount 2090 Pressure Transmitter Rev. 3,
    Rosemount 248 Temperature Transmitter Rev. 2,
    Rosemount 3051 Pressure Transmitter Rev. 3, 7, 9, and 10,
    Rosemount 3051S Advanced Diagnostics Rev. 2 and 3,
    Rosemount 3051S Electronic Remote Sensors Rev. 1,
    Rosemount 3051S Pressure Transmitter Rev. 7,
    Rosemount 3051SMV Direct Process Variable Rev. 1,
    Rosemount 3051SMV MultiVariable Mass Energy Flow Rev. 1,
    Rosemount 3095M MultiVariable Mass Flow Rev. 2,
    Rosemount 3100 Ultrasonic Level Transmitter Rev. 5,
    Rosemount 3144P Temperature Transmitter Rev. 3, 4, 5, and 6
    Rosemount 3300 Radar Level and Interface Transmitter Rev. 3,
    Rosemount 333 Triloop Rev. 1,
    Rosemount 4500 Pressure Transmitter Rev. 7,
    Rosemount 4600 Pressure Transmitter Rev. 1,
    Rosemount 5300 Radar Level and Interface Transmitter Rev. 1, 2, and 3,
    Rosemount 5400 Radar Level Transmitter Rev. 1 and 2,
    Rosemount 644 Temperature Transmitter Rev. 6, 7, 8, and 9,
    Rosemount 8712D Magnetic Flowmeter Rev. 1,
    Rosemount 8712E Magnetic Flowmeter Rev. 3,
    Rosemount 8712H Magnetic Flowmeter Rev. 1,
    Rosemount 8732C Magnetic Flowmeter Rev. 7,
    Rosemount 8732E Magnetic Flowmeter Rev. 2,
    Rosemount 8800C Vortex Flowmeter Rev. 3,
    Rosemount 8800D Vortex Flowmeter Rev. 1 and 2,
    Rosemount Analytical 1056 Rev. 1 and 2,
    Rosemount Analytical 5081A Rev. 2,
    Rosemount Analytical 5081CT Rev. 1,
    Rosemount Analytical 5081p Rev. 2,
    Rosemount Analytical 54eA Rev. 2,
    Rosemount Analytical 54eC Rev. 1,
    Rosemount Analytical 54epH Rev. 2,
    Rosemount Analytical OCT4000 Rev. 3,
    Rosemount Analytical OCX8800 Rev. 3,
    Rosemount Analytical XmtA Rev. 1,
    Rosemount Analytical XmtCT Rev. 1,
    Rosemount Analytical XmtpH Rev. 1,
    Rosemount Metran 150 Pressure Transmitter Rev. 9 and 10, and
    Rosemount Metran 75 Pressure Transmitter Rev. 9 and 10.


The vulnerability causes the HART DTM component to crash and also causes the 
HART service to stop responding. No loss of information or loss of control or
view by the control system results from an attacker successfully exploiting 
this vulnerability.

Impact to individual organizations depends on many factors that are unique to 
each organization. ICS-CERT recommends that organizations evaluate the impact 
of this vulnerability based on their operational environment, architecture, 
and product implementation.


Emerson Process Management is a global manufacturing and technology company 
offering multiple products and services in the industrial, commercial, and 
consumer markets through its network power, process management, industrial 
automation, climate technologies, and tools and storage businesses.

The affected products are HART-based field devices. According to Emerson, these
products are deployed across multiple critical infrastructure sectors. Emerson
estimates that these products are used worldwide.




By sending specially crafted response packets directly on the 4-20 mA current
loop, the DTM component stops functioning and Field Device Tool (FDT) Frame 
application becomes unresponsive. A manipulated HART device and physical 
network access is required to exploit this vulnerability

CVE-2014-9191[b] has been assigned to this vulnerability. A CVSS v2 base score 
of 1.2 has been assigned; the CVSS vector string is 



Physical network access is required to exploit this vulnerability.


- --------- Begin Update A Part 2 of 2 --------

No known public exploits specifically target this vulnerability.

- --------- End Update A Part 2 of 2 ----------


Crafting a working exploit for this vulnerability would be difficult. Physical
access to the 4 mA to 20 mA current loop is required in conjunction with a 
connected HART device modified to send crafted packets. The exploit also 
requires specific timing for the spoofed response. This decreases the 
likelihood of a successful exploit.


Emerson updated the HART DTM for the Rosemount 644 Temperature Transmitter Rev.
8, DTM Version 1.4.181 on November 17, 2014. Installing this DTM will resolve 
the vulnerability for all the impacted Emerson products listed above. Emerson 
recommends downloading the updated DTM from its web site:


An attacker would require physical access to the HART loop in order to execute 
this attack. The vulnerability is exploited by connecting a rogue device to the
HART loop and sending malformed data to the frame. If the end user has 
adequate physical protection of the HART loop in place, exploitation is not
possible. Field devices and WirelessHART installations are unaffected. Emerson 
recommends having physical protection of the end users' entire infrastructure.

More details can be found at Emerson's advisory located:

http://www2.emersonprocess.com/siteadmincenter/PM Central Web Documents/EMR EPM14001-1.pdf

ICS-CERT encourages asset owners to take additional defensive measures to
protect against this and other cybersecurity risks.

    Provide physical protection to system controls, connections, and cabling.

ICS-CERT also provides a section for control systems security recommended 
practices on the ICS-CERT web page at: 
http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended
practices are available for reading and download, including Improving 
Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 
ICS-CERT reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

Additional mitigation guidance and recommended practices are publicly 
available in the ICS-CERT Technical Information Paper, 
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation 
Strategies, that is available for download from the ICS-CERT web site 

Organizations observing any suspected malicious activity should follow their 
established internal procedures and report their findings to ICS-CERT for 
tracking and correlation against other incidents.

    a. CWE-20: Improper Input Validation, 
       http://cwe.mitre.org/data/definitions/20.html, web site last accessed 
       January 08, 2014.

    b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9191, 
       NIST uses this advisory to create the CVE web site report. This web site 
       will be active sometime after publication of this advisory.

    c. CVSS Calculator, 
       web site last accessed January 08, 2014.

Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: ics-cert@hq.dhs.gov
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900

For industrial control systems security information and incident reporting: 

ICS-CERT continuously strives to improve its products and services. You can
help by choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967