Today the DHS ICS-CERT published two new HART-DTM related advisories, updated the CodeWrights HART-DTM advisory, updated the NTP Advisory and published their promised NTP supplement. It was a busy information afternoon for ICS-CERT.
The third update to the ICS-CERT advisory on the NTP vulnerabilities was simply a change to add a link to the promised supplement addressing vendor specific information about how those vulnerabilities are implemented in specific products. That Supplement currently lists affected products (and mitigation measures) from/for the following vendors:
● Arbiter Systems;
● Siemens; and
● Wind River System;
The Supplement does not currently list reportedly unaffected products. Updates to this Supplement are expected.
The third update to the CodeWrights HART-DTM advisory provides some new information about affected systems, including adding Honeywell to the list of potentially affected vendors. Interestingly GE-MAKTec was not included on the list even though ICS-CERT published an advisory about their HART-DTM vulnerabilities today. The Update has also provided links to ICS-CERT advisories for Emerson, Honeywell, Magnetrol, and Pepperl+Fuchs.
There is some additional clarification about the potential impact of successful exploits of this vulnerability. ICS-CERT notes that it only affects the Field Device Tool (FDT) Frame Application. Since that application is only used for configuration changes, ICS-CERT reports that a successful exploit “does not result in loss of information, control, or view by the control system of the HART devices on the 4-20 mA HART Loop”.
ICS-CERT continues to emphasize how difficult it would be to craft an exploit for this vulnerability. Interestingly, they have removed the comments about compromised physical access to the 4 mA to 20 mA current loop. They emphasize that an exploit is possible from “any adjacent network that receives or passes packets from the HART Device DTM”.
The new advisories for Pepperel+Fuchs products and products from GE and MAKTec (GE provides the DTM software for the MAKTec Bullet Adapter DTM according to a GE Advisory) provide basically the same information as the current CodeWrights advisory.
Consistency of Information Sharing
It seems odd that ICS-CERT is issuing individual advisories for vendors affected by the HART-DTM vulnerability but issues a supplement for the advisory that lists those affected by the DTP vulnerability. In most ways it really does not make a difference which process ICS-CERT uses and they are under no mandate or obligation to maintain any sort of consistency in their methodology.
Having said that the multiple advisory process being used with the HART-DTM vulnerability does present a problem. The two advisories issued today share the same language as that found in the current version of the CodeWrights advisory. The Emerson and Magnetrol advisories share the language with the previous version of the CodeWrights advisory. This means that ICS-CERT really should have offered updates of those two advisories today as well. And when the next change takes place, they will have to update all five advisories (plus any others issued in the interim). Using the DTP advisory/supplement model, only one advisory needs to be updated when information on the base vulnerability changes.