Vulnerability in hipserver
6 Oct 2020
HART-IP Developer kit, Release 188.8.131.52 (Licensed Product)
hipserver, Release 3.6.1 (initial public release) (https://github.com/FieldCommGroup/hipserver)
FieldComm Group ID: PSI-20200601001
CVE ID: CVE-2020-16209
License holders to the HART-IP Developer Kit and users of hipserver open source code.
The HART-IP server component hipserver takes HART-IP messages from its clients and transports the embedded HART messages to various HART application programs. An unchecked memory transfer in the IP interface would potentially allow an internal buffer to overflow.
A malicious user could exploit this interface by constructing HART-IP messages with payloads sufficiently large to overflow the internal buffer and crashing the device or obtaining control of the device.
Users of version hipserver v3.6 can protect themselves by restricting access to the computers or devices running the software. Users of hipserver should immediately upgrade their source code to use v3.7.0 (or higher)
All licensed users of the HART-IP developer kit will be sent updated source code.
The hipserver source code was added to the GitHub repository on 5 Dec 2019. As of this advisory notice, FieldComm Group is not aware of any third-party commercial products using hipserver.
The researcher Reid Wightman from Dragos, Inc identified the security vulnerability.
Advisories and Disclosure coordinated through CISA.
6 Oct 2020 1.0 Initial Version (this document)
Copyright © 2020 FieldComm Group
Original versions of this document are available at https://fieldcommgroup.org