Today the DHS ICS-CERT published a new advisory for the vulnerability they reported in the Emerson HART DTM last week. The difference is that instead of just limiting the advisory to Emerson HART DTM they are extending it to all versions of the DTM that use the same DTM libraries produced by CodeWrights. Specifically they include HART systems from:
● Berthold Technologies,
● Magnetrol, and
As with the revised advisory published on Friday, ICS-CERT claims that there are no publicly available exploits of these vulnerabilities. CodeWrights has developed a new version of the library and Emerson has tested the library to validate its efficacy. No one has apparently asked the original researcher, Alexander Bolshev, to validate the new library efficacy.
At this point it seems that only Emerson has fixed the vulnerability in their use of the libraries. ICS-CERT states that it will update this advisory when additional reports of fixes have been provided. They also note that CodeWrights is only providing the updated libraries to ‘customers with current support agreements’. This would seem to suggest that other vendors with HART applications may be using the same affected libraries.