Thursday, June 23, 2016

ICS-CERT Publishes Three Advisories

Earlier today the DHS ICS-CERT published three new control system security advisories for products from Meinberg, Unitronics, and Rockwell.

Meinberg Advisory

This advisory describes multiple vulnerabilities in the Meinberg NTP Time Servers Interface. The vulnerabilities were reported by Ryan Wincey. Meinberg has produced a new version that mitigates the vulnerabilities. ICS-CERT reports that Wincey has verified the efficacy of the fix.

The vulnerabilities include:

• Twin stack-based buffer overflows - CVE-2016-3962 and CVE-2016-3988; and
• Privilege escalation - CVE-2016-3989

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to cause a buffer overflow condition that may allow escalation to root privileges.

Unitronics Advisory

This advisory describes a stack-based overflow vulnerability in the Unitronics VisiLogic product. The vulnerability was reported by Steven Seeley of Source Incite via ZDI. Unitronics has produced a new version that mitigates the vulnerability. There is no indication that Seeley has been given an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to remotely execute arbitrary code.

The Unitronics’ CERT Compliance page reports that the vulnerability is in the 'Xceed Zip Compression Library' (the XceedZip.dll), - a 3rd party component from Xceed. Unitronics upgraded to version 6.5.16068.0 in their updated version.

NOTE: Once again a vulnerability in a 3rd party library raises the question of what other control system programs are using the vulnerable version of this .DLL?

Rockwell Advisory

This advisory describes a resource management vulnerability in the Rockwell Allen-Bradley Stratix 5400 and Allen-Bradley Stratix 5410 industrial networking switches. The vulnerability is apparently self-reported.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to impact traffic (or packets) transiting the affected device.

ISCD Updates More FAQs – 06-23-16

Today the DHS Infrastructure Security Compliance Division (ISCD) updated nine of the frequently asked question (FAQ) responses on the CFATS Knowledge Center. The FAQ responses updated today were:

In each of these FAQ responses the earlier responses (dating back to 2008) simply referred the reader to the CSAT Registration User Guide; some with the link tagged to the page in an earlier version of the manual that addressed the issue raised in the FAQ. Today’s responses provide the actual explanation from that User Guide. This certainly provides a quicker response to the FAQ, but most of today’s responses do not provide links to the manual for further information.

NOTE: The four FAQ responses that I reported that still remained to be updated have not been updated for the new CSAT URL.

Wednesday, June 22, 2016

House Passes Two Cybersecurity Bills

Yesterday the House took up two cybersecurity bills under the suspension of the rules process and passed both by strongly bipartisan votes. HR 5388, the Support for Rapid Innovation Act of 2016 passed by a vote of 351 – 4. HR 5389, the Leveraging Emerging Technologies Act of 2016 passed by a vote of 347 – 8. In both cases the opposing votes came from Republicans.

HR 5388 includes specific control system security language. That language is in the section dealing with what types of research would be authorized under the new §319 of the Homeland Security Act of 2002. It would authorize research to “assist the development and support of technologies to reduce vulnerabilities in industrial control systems” {§319(b)(6)}. Still, no new funding for this research (or any of the cybersecurity research authorized by the bill) was provided in the bill, so the additional cybersecurity research effectively dilutes the money made available by DHS S&T for research grants.

Both bills now head to the Senate for consideration. If they do make it to the floor they will undoubtedly pass, but whether or not they are considered is an open question. I suspect that the best chance for their consideration is under the unanimous consent provisions, but that requires that no Senator object. With the minor conservative opposition in the House, the prospect of an objection by at least one conservative Senator is a very real possibility.

Tuesday, June 21, 2016

ICS-CERT Publishes Two Advisories

This afternoon the DHS ICS-CERT published two control system advisories for products from Schneider and Advantech.

Schneider Advisory

This advisory describes a cross-site scripting vulnerability in the Schneider Electric PowerLogic PM8ECC communications add-on module for the Series 800 PowerMeter. The vulnerability is apparently self-reported. Schneider has produced a firmware update for the module.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to inject arbitrary JavaScript in a specially crafted URL request where the response containing user data is returned to the web browser without being made safe to display.

Schneider published their Security Notice on this vulnerability on May 11th, 2016.

Advantech Advisory

This advisory describes multiple vulnerabilities in the Advantech WebAccess product. The vulnerabilities were reported by Zhou Yu of Acorn Network Security. Advantech has produced a new version that mitigates the vulnerabilities. ICS-CERT reports that Zhou has had a chance verify the efficacy of the fix.

The vulnerabilities include:

• Unsafe ActiveX controls marked as safe for scripting - CVE-2016-4525; and
• Classic buffer overflow - CVE-2016-4528.

ICS-CERT reports that a social engineering attack is required to exploit these vulnerabilities, but a successful exploit could allow an attacker to insert and run arbitrary code on an affected system.

The Advantech version notes for the new version (8.1_20160519) produced to correct these vulnerabilities mentions ‘buffer-overrun’ vulnerabilities in BwAspObj.dll and cellvision.ocx, but it does not mention any ActiveX vulnerabilities. It does, however, mention a vulnerability to reveal password in Project User web page that was not mentioned in the ICS-CERT advisory.

Another Schneider Product Vulnerability

When looking for the Schneider Security Note mentioned above I also found another Schneider product vulnerability reported on the Schneider web site. This Security Note was for an elevation of privilege vulnerability in the – Pelco Digital Sentry Video Management System.

Bills Introduced – 06-20-16

With the Senate in full session and the House meeting in pro forma yesterday there were 16 bills introduced. Only one of those may be of interest to readers of this blog:

HR 5531 To amend title 46, United States Code, to improve maritime transportation, and for other purposes. Rep. Hunter, Duncan D. [R-CA-50]

This is the bill that I mentioned yesterday as being scheduled for markup on Thursday. In that post I suggested that the bill might include maritime security provisions. A draft copy of the proposed bill is available on the Committee web site. There are no maritime security provisions but there is a requirement for the Coast Guard to establish a land-based “land-based positioning, navigation, and timing system [emphasis added] to provide a complement to and backup for the Global Positioning System” {new 46 USC 80701(a)}. The current language does not mention the fact some SCADA systems use the GPS timing system for control system synchronization, it would be nice if that were specifically addressed in the bill.

Monday, June 20, 2016

Congressional Hearing – Week of 6-19-16

Both the House and Senate will be in Washington again this week. There is less than a month left now before the summer recess; we will have to wait and see how successful Congress is in getting the spending bills completed. There will be two markup hearings (including the DHS spending bill) and hearings on military cyber operations.

DHS Spending

On Wednesday the House Appropriations Committee will be holding their markup of the FY 2017 DHS spending bill. This hearing was originally scheduled for last week.

Military Cyber Operations

On Wednesday the House Armed Services Committee will be holding a hearing on Military Cyber Operations. The witness list includes:

• Thomas Atkin, Office of the Secretary of Defense
• LTG Kevin McLaughlin, U.S. Cyber Command
• BG Charles Moore, Joint Staff, J-39

Maritime Security Markup

On Thursday the House Committee on Transportation and Infrastructure will hold a markup hearing on three bills, including the as of yet unintroduced “Miscellaneous Maritime Transportation Amendments Act of 2016”. I am guessing that there will be some maritime security provisions.

On the Floor

On Tuesday the House will take up two bills of interest to readers of this blog under the suspension of rules provision. This means limited debate, no amendments and a 2/3 vote for passage. This generally means that the leadership considers the bill non-controversial. The two bills of specific interest are:

HR 5388, the Support for Rapid Innovation Act of 2016 (Sponsored by Rep. John Ratcliffe / Homeland Security Committee); and

HR 5389, the Leveraging Emerging Technologies Act of 2016.

ICS-CERT and the Secure Portal

Long time readers of this blog will undoubtedly remember me discussing (see here and here for example) the ICS-CERT use of the US-CERT Secure Portal to initially share control system advisories with a limited audience to allow critical infrastructure facilities a chance to address those vulnerabilities before their existence became public knowledge. Over the weekend, the DHS ICS-CERT added a new page to their web site describing how to gain access to these early releases of ICS-CERT advisories.

The new page introduces a new name for the US-CERT Secure Portal, apparently it is now called the NC4 Mission Center secure portal. I say apparently because of search of the US-CERT web site contains no mention of that name. A Google search for the term does show a series of results for the NC4 Mission Center name (see here), but that is a trademarked name for an organization headquartered in el Segundo, CA that apparently markets the cybersecurity services to the government and private sectors. Interestingly, a search of the NC4 web site for the term ‘ICS-CERT’ turns up no results.

The NC4 websites appear to be very carefully written to foster some level of confusion about whether or not the organization is directly affiliated with the Federal government. See for example here; “Leveraging its U.S. Federal Government heritage and experience garnered from supporting over 100,000+ operational users for over a decade, NC4 brings organizations proven and trusted, web-accessible, secure communication and collaboration solutions.” Though, to be fair NC4 has apparently been around for some time since it was mentioned (pg 18) in a 2011 US Army War College paper (.PDF Download).

To avoid confusion, and stop inadvertently sending people to do business with NC4, ICS-CERT really does need to clear up this name issue and go back to using the US-CERT Secure Portal terminology that is apparently still in use in the rest of DHS.

Still, I highly recommend that any critical infrastructure security manager with any level of responsibility for control system security join ICS-CERT on the US-CERT Secure Portal. The early notification of selected control system advisories could be very beneficial. 
/* Use this with templates/template-twocol.html */