Thursday, October 16, 2014

ICS-CERT Issues 2 New Advisories and Updates 2 Siemens Advisories

ICS-CERT has been busy this week. Today they issued two new control system advisories and updated two Siemens advisories. The new advisories are for vulnerabilities in Fox DataDiode Proxy Server and the IOServer application. The two Siemens advisories have already been mentioned here this week.

Fox Advisory

This advisory concerns a cross-site request forgery (CSRF) vulnerability in the web administration interface. It was reported by Tudor Enache of HelpAG in a coordinated disclosure. A new release has been produced that mitigates the vulnerability, but there is no mention if the efficacy has been verified by Enache. This advisory was originally released on the US CERT secure portal on September 26th.

ICS-CERT reports that a two phase social engineering attack would be required to remotely exploit this vulnerability to conduct a DOS attack.

IOServer Advisory

This advisory concerns an out of bound read vulnerability reported by Sistrunk-Crain (ICS-CERT changed up the order of the team name) in a coordinated disclosure. A new version mitigates the vulnerability and the efficacy has been verified by Adam Crain.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to crash the OPC Server application.

There is an interesting comment by ICS-CERT in the Vulnerability Characterization section of the advisory. They state:

“A vague interpretation of the DNP3 protocol may allow a null header to cause an out of bound read command to create large numbers of entries in the master in some implementations. This is not a universal problem for all DNP3 users, vendors or integrators [emphasis added], but it may occur.”

That plus a reference to a DNP3 Application Note addressing this issue seems to indicate that this is a problem that might affect other systems. Not that Chris and Adam have ever found vulnerabilities in DNP3 implementations that affect multiple platforms (sorry for the low level sarcasm here). As of 9:00 pm CDT this advisory is not listed on the Project Robus web site.

Siemens OpenSSL Update

Well it looks like we are going to need at least update G to get this correct. Yesterday ICS-CERT reported that ROX 1 was the only outstanding affected system without an update; completely missing the APE 1 with eLAN and ROX 2 with eLAN. Well, with the Siemens ProductCERT announcement today that the ROX 1 update was now available ICS-CERT is still failing to report the continuing vulnerabilities in APE 1 with eLAN and ROX 2 with eLAN. Well, maybe tomorrow.

Ruggedcom Certificate Update

ICS-CERT missed the earlier announcement that the ROX 2 update was available, but they did catch up today when Siemens ProductCERT announced that the ROX 1 update was now available. So far so good. Unfortunately, ICS-CERT also changed their reporting of the affected versions of these two devices. It was correct and had not changed in the latest Siemens report. I know; minor details.

I’m beginning to wonder if anyone at ICS-CERT actually reads the Siemens alerts. The bigger question is how accurate are the other vulnerability reports from ICS-CERT, the ones that we can’t check because the vendor is not as meticulous in reporting their vulnerabilities as is Siemens?

Wednesday, October 15, 2014

ICS-CERT Updates Bash and Siemens OpenSSL - Issues Pyxis Advisory

Today the DHS ICS-CERT published four documents concerning vulnerabilities in control systems. One is actually a correction to yesterday’s Siemens OpenSSL update. Then they updated the BASH advisory and issued a supplement to that advisory. Finally they published a new advisory for a medical supply system with multiple vulnerabilities.

Siemens OpenSSL Update

Yesterday ICS-CERT published an update for the Siemens OpenSSL advisory that reported that all affected systems had updates available. Today they are reporting that what Siemens actually said was that a new update was available for ROX 2-based devices. And it reports that Siemens is still working on an update for ROX 1.

Oops, no, they got it wrong again. According to the Siemens ProductCERT advisory, the newest update only affects ROX V2.6.0 with Crossbow V4.2.3.  There are three products listed by Siemens that do not currently have updates available:

• APE 1 with eLAN installed: All versions <= 1.0.1;
• ROX 1: All versions (only affected if Crossbow is installed);
• ROX 2 with eLAN installed: All versions < V2.6.0

Sorry. I did not read the Siemens ProductCert advisory on this yesterday; I trusted ICS-CERT to get it right. Well, maybe they’ll get it right tomorrow. And that will be version ‘F’ when we should still be on version ‘C’. Oh well….

BASH Advisory Update and Supplement

Back in September ICS-CERT published a brief advisory on the Bash command injection vulnerability. I was kind of busy at the time and didn’t write about their advisory because much more complete information was readily available elsewhere. Well, today the published an update to that advisory that was not much better. The only change was the addition of the following paragraph:

“ICS-CERT sent out a query to vendors we have collaborated with in the past. Many have responded back with information about which products are affected by this bash vulnerability. ICS-CERT created a supplement to this advisory that contains this information. It can be found at the following web location: This supplement will be updated with additional information as it becomes available, without updating this advisory.”

So now we have a new ICS-CERT document that will be periodically updated so they don’t have to update the advisory so often??? Okay, what ever.

Okay, the supplement provides some useful information. First it provides a list of companies that have responded to ICS-CERT inquiries about potentially vulnerable systems. Then it provides a list of vulnerable systems (by vendor) with links to further information. It is not clear that systems from vendors on the first list that are not listed on the second list are actually not vulnerable. I think that that may be a dangerous assumption to make. In any case, selected products from the following vendors are reportedly at least potentially vulnerable:

• ABB;
• Cisco;
• Digi;
• eWON;
• Meinberg;
• Moxa;
• Red Lion (pardon me; use bash shell but “are not considered to be vulnerable or exploitable”; and
• Siemens (okay, this lets them off the hook for not mentioning the Siemens ProductCERT advisory yesterday).

Pyxis Advisory

NOTE: This is for a medical supply control system, not really an industrial control system, but hey the FDA won’t touch this and ICS-CERT doesn’t have anything else going on right now….

This advisory is for multiple authentication vulnerabilities in the CareFusion Pyxis SupplyStation reported by Billy Rios. CareFusion has produced a new version of the software that mitigates three of the four vulnerabilities. No mention if Billy was given the chance to verify the efficacy of the fix.

ICS-CERT reports that the vulnerabilities are:

• Hard-coded password, CVE-2014-5422;
• Hard-coded credentials, CVE-2014-5421 and CVE-2014-5420; and
• Insecure temporary files, CVE-2014-5423

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to manipulate the locking controls on the automated medical supply cabinets. I don’t expect that these are used to dispense narcotics or else the DEA would be involved.

CareFusion reportedly will not be offering a fix to one of the hard-coded credential vulnerabilities because it would only allow access to some application files, but not the physical access controls. That would seem to be a reasonable risk assessment decision if it was made by the system owner, not the manufacturer. Good news, it will be fixed in future versions.

Tuesday, October 14, 2014

ICS-CERT Acknowledges 1 of 3 Siemens Updates

Earlier today the DHS ICS-CERT published an update (#4) for the Siemens OpenSSL advisory that was last updated in August. It ignored updates for a RuggedCom certificate verification vulnerability (ICSA-14-135-03) originally published in May and an update for the Siemens GNU Bash vulnerability that ICS-CERT still has not reported. Batting 1 for 3 in baseball is pretty good; in security it SUCKS. All three updates were published yesterday on the Siemens ProductCert web page.

Open SSL Update

This update reports that Siemens now has updates available for all of the affected product lines. Steady progress made since the vulnerability was reported earlier this year with regular updates to public notifications by Siemens.

Certificate Verification Update

ICS-CERT may not care, but Siemens is reporting that it has firmware updates available for ROX 2 devices and continues to work on updates for ROX 1 devices.

GNU Bash Update

Siemens is reporting that the same ROX 2 firmware upgrade that fixed the certificate verification vulnerability also addresses their GNU Bash issue. Two vulnerabilities with a single upgrade, good move. ICS-CERT apparently still does not know that Siemens is affected by GNU Bash so the update passes unnoticed.

Monday, October 13, 2014

OMB Approves CSAT ICR Renewal

On Friday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the DHS information collection request (ICR) for the on-line Chemical Security Assessment Tool (CSAT) that is used to collect program information from facilities affected by the Chemical Facility Anti-Terrorism (CFATS) program. The 30-day ICR notice for this collection was published back in March, 2013.

This announcement provides links to the supporting documents for this ICR. It provides a link to the American Chemistry Council comment [.PDF download link] that was responsible for the changes to the method of calculating the burden estimate for the SSP Tool. While DHS did modify their burden estimate, it seems clear to me that there is still some level of disagreement about how they calculate the hours of support activity that goes into the SSP documentation. 

While this disagreement is not fully explained in the ICR documentation I suspect that it relates to how much of the time that the ACC is claiming for SSP burden is used for preparing the SSP data submission and how much is for the preparation of the SSP. It would be helpful if the folks at the DHS Infrastructure Security Compliance Division (ISCD) would explain this distinction.

NOTE: The other two CFATS ICR’s (CVI and CFATS) that were submitted at the same time as this were approved on September 30th. I did not report them here as they were both submitted as renewals without revision. The length of time necessary for the approval of these ICR’s is almost certainly a measure of the political problems that the CFATS program has been facing in Congress. It is apparent that these have been approved now as a result of the apparent change in the support for HR 4007 in the Senate. We still have one CFATS ICR outstanding and that is the one for the CFATS Personnel Surety Program; due to congressional (read industry in this case) opposition to the way ISCD has structured that program the ICR will not be approved.

Wednesday, October 8, 2014

DHS Updates CFATS Stats

Once again it is time for the monthly update of CFATS statistics from the folks at DHS Infrastructure Security Compliance Division (ISCD). They have published their CFATS Fact Sheet that covers through October 1st. Below are the standard charts that I have been publishing showing the changes in these statistics over time.

The data shows continued improvement in the total number of authorized and approved facilities. The rate at which progress is being made is running about the same as it has been in the last couple of months; the variation is almost certainly due to the changing mix of facilities being evaluated.

The last chart is of increasing concern. My friends in the environmental activist community will be happy to see a decline in the number of facilities with ‘dangerous chemicals’ on site. I remain concerned about the lack of transparency on a program level (I don’t want to know plant details) about how many of these facilities are dropping out of the program due to process changes, inventory manipulation, or going out of business. Without that kind of data we cannot gauge the actual increase in safety/security involved in these numbers.

Tuesday, October 7, 2014

ICS-CERT Updates Two Advisories – Ignores Siemens GNU Bash Report

This afternoon the DHS ICS-CERT updated two earlier advisories, one from Siemens and one from Schneider. Interestingly they ignore the unique Siemens ProductCERT report on GNU Bash vulnerabilities in Siemens products.

Siemens Update

This advisory was originally published back in July. Since then Siemens has provided a new update for the still vulnerable SIMATIC PCS7. The original advisory was published with only a SIMATIC WinCC update available.

Schneider Update

This advisory was originally published almost three weeks ago. Since then Schneider has made the promised service packs available to correct the vulnerabilities:

• ClearSCADA 2010 R3.2, Released October 2014, and
• SCADA Expert ClearSCADA 2014 R1.1, Released October 2014.

Siemens GNU Bash Report

ICS-CERT has not yet published an advisory for the recently self-reported ProductCERT advisory for separate vulnerabilities related to the GNU Bash problem. Siemens tweeted about this advisory yesterday morning.

The advisory reports specific vulnerabilities in the DHCP client (ROX 1 and ROX 2 products) and the web interface of their ELAN system (APE Linux); nothing especially new here.

The interesting report here is the mention of a ‘generic Bash’ vulnerability in a number of listed products, but only after “major custom modifications by the user (such as installation of additional software or custom scripts)”. The public identification of a post-modification vulnerability marks a real commitment to customer support.

NHTSA Publishes Cybersecurity RFI

Today the DOT’s National Highway Traffic Safety Administration (NHTSA) published a notice in the Federal Register (79 FR 60574-60583) concerning its research program on determining the need for safety standards with regard to electronic systems in passenger motor vehicles. Such standards could include cybersecurity requirements for such systems. NHTSA is seeking public comments on these issues.

On July 6, 2012 the President signed into law MAP-21 (PL 112-141). Section 31402 required DOT to examine electronic systems in passenger motor vehicles. Part of that examination was to include a look at “the security needs for those electronic systems to prevent unauthorized access” {§31402(a)(1)}. A portion of today’s notice specifically addresses that cybersecurity examination. In this section NHTSA identifies two general approaches to vehicular cybersecurity:

• Design and quality control processes that focus on cybersecurity issues throughout the lifecycle of a product; and
• Establishing robust information sharing forums such as an Information Sharing and Analysis Center (ISAC)

Cybersecurity Design

NHTSA notes that there are no current cybersecurity design standards for the automotive industry. It does point at the NIST Cybersecurity Framework and notes that “this framework could allow the automotive industry to develop a security program for modern-day automobiles analogous to information security programs [emphasis added] in place for information technology (IT) systems in general”. This would make it seem that NHTSA intends to treat automotive electronic systems as information systems rather than control systems.
NHTSA does note the European Union’s efforts in this area, specifically the EVITA program which has apparently done nothing since it produced its final report in 2012.

Information Sharing

NHTSA reports that it has examined [.PDF download link] the Information Sharing and Analysis Center (ISAC) that has been used by other industries. It also notes that the Alliance of Automotive Manufacturers (Alliance) and the Association of Global Automakers (Global Automakers) are considering [.PDF download link] the formation of an automotive sector ISAC.

NHTSA Ongoing Research

NHTSA reports that its ongoing automotive cybersecurity research program targets four areas:

Public Comments

Before they complete their required report to Congress on automotive cybersecurity NHTSA is soliciting public comments on this topic. They are specifically asking for input in the following topic areas:

Comments may be submitted via the Federal eRulemaking Portal (; Docket #NHTSA-2014-0108). Public comments should be submitted by December 8th, 2014.
/* Use this with templates/template-twocol.html */