GE has released a fix for a vulnerability in a library that’s used in several of its products deployed in critical infrastructure areas. The flaw in the HART Device Type Manager library could allow an attacker to crash affected applications or run arbitrary code.
The vulnerability in the DTM library affects four of GE’s products, as well as one product manufactured by MACTek. According to an advisory from ICS-CERT, GE has released an updated library that addresses the problem.
“The vulnerability causes a buffer overflow in the HART Device DTM crashing the Field Device Tool (FDT) Frame Application. The Frame Application must then be restarted. The Frame Application is primarily used for remote configuration. Exploitation of this vulnerability does not result in loss of information, control, or view by the control system of the HART devices on the 4-20 mA HART Loop,” the advisory says.
“The buffer overflow exploited could be used to execute arbitrary code on the system running the Frame Application. The researcher has provided proof of concept to ICS-CERT and the vendor. The updated HART Device DTM provided by the GE and MACTek will resolve this issue. Successful exploitation requires that the Frame Application is running and connected to a DTM‑configured HART‑based device at the time of the exploit.”
- MACTek’s Bullet DTM 1.00.0,
- GE’s Vector DTM 1.00.0,
- GE’s SVi1000 Positioner DTM 1.00.0,
- GE’s SVI II AP Positioner DTM 2.00.1, and
- GE’s 12400 Level Transmitter DTM 1.00.0.
Until customers have patched their affected products, ICS-CERT recommends some additional mitigations.
“Device DTM software with the identified vulnerable versions listed as impacted should be used only within an offline secure network until patched. ICS-CERT strongly recommends performing configuration changes in a nonproduction environment where proper testing and risk evaluation can be performed. ICS-CERT also recommends that asset owners employ a least privilege practice and avoid unnecessary services within their production environment,” the advisory says.