GE, MACTek update products using vulnerable HART DTM library
This week, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a security advisory about a vulnerability in the HART Device Type Manager (DTM) library, which is used in GE and MACTek products.
Both GE and MACTek have released an update for the issue which impacts four GE products – the Vector DTM 1.00.0, SVi1000 Positioner DTM 1.00.0, SVI II AP Positioner DTM 2.00.1 and 12400 Level Transmitter DTM 1.00.0. MACTek's Bullet DTM 1.00.0 is also affected, the advisory said.
ICS-CERT noted that the aforementioned products are “deployed across multiple critical infrastructure sectors,” and that “successful injection of specially crafted packets to the Device DTM causes a buffer overflow condition in the Frame Application."
Successful exploitation can ultimately lead to the FDT Frame Application becoming unresponsive, and cause the Device DTM to stop functioning, the advisory explained.