Short Takes – 11-20-24

The key moment came 38 minutes after Starship roared off the launch pad. ArsTechnica.com article. Pull quote: “Before going for a full orbital flight, officials needed to confirm Starship could steer itself back into the atmosphere for reentry, ensuring it wouldn't present any risk to the public with an unguided descent over a populated area. After Tuesday, SpaceX can check this off its to-do list.” Lots of interesting program details in the article.

SpaceX Starship Launch Ends With a Dramatic Water Landing. NYTimes.com article. Pull quote: “Though the SpaceX livestream stayed away from political commentary, Mr. Trump’s attendance at the launch signals a growing bond between the president-elect and Mr. Musk.”

Wrangling over whether to punt government funding to Trump heats up. TheHill.com article. Pull quote: ““So, if they’re willing to work on a little bipartisan basis — we know we’re not … the majority. We can get things done, but if they want a partisan bill, then they have to do it on their own, and they’ve shown no ability to do it.””

Every hurricane this season was turbocharged and made more intense than it should have been, study finds. CNN.com article. Pull quote: “Other scientists not involved in the study agreed with the researchers’ overall finding that that human-caused global warming was intensifying storms, but urged caution around the specific increase in wind speeds, particularly with projecting the influence of global warming on future storms.”

Risk Management Under the Toxic Substances Control Act: Certain Per- and Polyfluoroalkyl Substances; Extension of Comment Period. Federal Register EPA comment extension. Summary: “The Environmental Protection Agency (EPA) is extending the comment period for the notice that published in the Federal Register on September 30, 2024, seeking public comment on the manufacture of certain per- and polyfluoroalkyl substances (PFAS), including perfluorooctanoic acid (PFOA), perfluorononanoic acid (PFNA), and perfluorodecanoic acid (PFDA), during the fluorination of high-density polyethylene (HDPE) and other plastic containers to inform regulations as appropriate under the Toxic Substances Control Act (TSCA). That notice established a public comment period that is scheduled to end on November 29, 2024. This document extends that comment period for 31 days to December 30, 2024. EPA received a request to extend the comment period from an interested stakeholder who requested additional time to collect information relating to EPA's notice and develop thoughtful responses to the issues raised in EPA's notice. EPA believes it is appropriate to extend the comment period in order to give stakeholders including the requester additional time to identify and gather information related to the issues identified in EPA's notice and to prepare comprehensive comments.”

300 Drinking Water Systems in US Exposed to Disruptive, Damaging Hacker Attacks. SecurityWeek.com article. Pull quote: ““Moreover, we were unable to find documented policies and procedures related to the EPA’s coordination with the Cybersecurity and Infrastructure Security Agency and other federal and state authorities involved in sector-specific emergency response, security plans, metrics, and mitigation strategies,” OIG notes.”

Review – Public ICS Disclosures – Week of 11-9-24 – Part 3

A delayed completion of my review of last weeks control system cybersecurity disclosures. For Part 3 we have 28 vendor updates from Broadcom (4), FortiGuard (2), HPE (6), Palo Alto Networks, Schneider (2), and Siemens (13).

Updates

Broadcom Update #1 - Broadcom published an update for their Brocade Fabric OS advisory that was originally published on September 26^th, 2024.

Broadcom Update #2 - Broadcom published an update for their Brocade SANnav advisory that was originally published on October 14^th, 2024.

Broadcom Update #3 - Broadcom published an update for their Oracle Critical Patch advisory that was originally published on November 2^nd, 2024.

Broadcom Update #4 - Broadcom published an update for their Azul Zulu Java advisory that was originally published on November 2^nd, 2024.

FortiGuard Update #1 - FortiGuard published an advisory for their regreSSHion vulnerability advisory that was originally published on July 9^th, 2024, and most recently updated on October 16^th, 2024.

FortiGuard Update #2 - FortiGuard published an advisory for their missing authentication in fgfmsd advisory that was originally published on October 23^rd, 2024, and most recently updated on November 7^th, 2024.

HPE Update #1 - HPE published an update for their ProLiant DL/ML/XL, Alletra, Synergy, and Edgeline Servers advisory that was originally published on September 12^th, 2024.

HPE Update #2 - HPE published an update for their ProLiant DL/ML/XL, Alletra, Synergy, and Edgeline Servers advisory that was originally published on September 12^th, 2024.

HPE Update #3 - HPE published an update for their StoreEasy Servers advisory that was originally published on September 19^th, 2024.

HPE Update #4 - HPE published an update for their StoreEasy Servers advisory that was originally published on September 13^th, 2024.

HPE Update #5 - HPE published an update for their StoreEasy Servers advisory that was originally published on September 13^th, 2024.

HPE Updated #6 - HPE published an update for their ProLiant DL/ML/XL, Alletra, Edgeline, MicroServer and Synergy Servers advisory that was originally published on September 16^th, 2024, and most recently updated on September 25^th, 2024.

Palo Alto Networks Advisory - Palo Alto Networks published an update for their Management Web Interface advisory that was originally published on November 8^th, 2024, and most recently updated on November 10^th, 2024.

Schneider Update #1 - Schneider published an update for their PowerLogic PM5500 advisory that was originally published on June 8^th, 2021.

Schneider Update #2 - Schneider published an update for their BadAlloc advisory that was originally published on November 9^th, 2021, and most recently updated on September 10^th, 2024.

Siemens Update #1 - Siemens published an update for their Industrial Products advisory that was originally published on May 14^th, 2024, and most recently updated on October 8^th, 2024.

Siemens Update #2 - Siemens published an update for their n SIMATIC WinCC advisory that was originally published on July 9^th, 2024, and most recently updated on September 10^th, 2024.

Siemens Update #3 - Siemens published an update for their SIMATIC S7-1500 advisory that was originally published on October 8^th, 2024.

Siemens Update #4 - Siemens published an update for their RADIUS Protocol advisory that was originally published on July 9^th, 2024, and most recently updated on July 22^nd, 2024.

Siemens Update #5 - Siemens published an update for their Socket.IO advisory that was originally published on September 10^th, 2024.

Siemens Update #6 - Siemens published an update for their SIMATIC SCADA advisory that was originally published on September 10^th, 2024, and most recently updated on October 8^th, 2024.

Siemens Update #7 - Siemens published an update for their Profinet Devices advisory that was originally published on July 13^th, 2021, and most recently updated on June 11^th, 2024.

Siemens Update #8 - Siemens published an update for their l GNU/Linux subsystem advisory that was originally published on December 12^th, 2023, and most recently updated on October 8^th, 2024.

Siemens Update #9 - Siemens published an update for their Palo Alto Networks advisory that was originally published on July 9^th, 2024, and most recently updated on October 8^th, 2024.

Siemens Update #10 - Siemens published an update for their GNU/Linux subsystem advisory that was originally published on April 9^th, 2024, and most recently updated on July 9^th, 2024.

Siemens Update #11 - Siemens published an update for their Mendix Runtime advisory that was originally published on September 10^th, 2024, and most recently updated on October 10^th, 2024.

Siemens Update #12 - Siemens published an update for their SIMATIC S7-1500 CPUs advisory that was originally published on October 8^th, 2024.

Siemens Update #13 - Siemens published an update for their User Management Component advisory that was originally published on September 10^th, 2024, and most recently updated on October 8^th, 2024.

 

For more information on these updates, including brief description of the recent changes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-db2 - subscription required.

OMB Disapproves CISA CFATS Personnel Surety ICR Renewal

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had disapproved an information collection request renewal from CISA for “Chemical Facility Anti-Terrorism Standards (CFATS) Personnel Surety Program”. The 60-day ICR notice was published on June 23^rd, 2021. The 30-day ICR notice was published on February 11th, 2021. A single, apparently unrelated, public comment was submitted on this ICR.

In disapproving this information collection request, OIRA noted that:

“The agency will resubmit this form for approval when the underlying program has been reauthorized by Congress, following an appropriate public comment period.”

In the unlikely event that the CFATS program is reauthorized before the end of the year, CISA will not technically be able to collect information for their CFATS personnel surety program vetting against the TSA’s Terrorist Screening Database (TSDB) as that ICR collection authorization expires on November 30^th, 2024. A new ICR approval request would have to be initiated to allow the data collection after that date.

The CFATS program will not be reauthorized in the 119^th Congress because its most vocal opponent, Sen Rand Paul (R,KY), will be the Chair of the Senate Homeland Security and Governmental Affairs Committee and that Committee would be required to act on any original Senate bill reauthorizing the program or acquiesce to the Senate’s consideration of a House bill doing the same. While the House has been generally more supportive of the program than the Senate, the leadership would be unlikely to consider a CFATS reauthorization bill next session due to President Trump’s expected continued opposition to the program.

Yesterday’s announcement by OIRA is an admission by the current administration that the program is probably dead for the foreseeable future, and possibly a last minute plea for the Senate to take up HR 4470 and pass HR 4470 over Paul’s objections. The Senate leadership is unlikely to try to do that as it would interfere with their efforts to approve as many judicial appointments as possible before the end of the session. 

Short Takes – 11-19-24

Air Defense: Anti Drone Laser That Works. StrategyPage.com article. Pull quote: “The billions [spent on laser weapons development] have not been wasted, but they did buy a lot of disappointment. At the same time, the money and development effort has, slowly, moved the technology towards the point where lasers will be robust enough, and sufficiently supplied with energy, to make themselves effective for the troops. Close now, but not there yet. The Department of Defense fears that a sharp reduction of the defense budget will halt the development money. That would stop work, except for what the manufacturers might continue on their own nickel, and battlefield lasers would remain suspended just short of being useful.”

SpaceX Starship’s Sonic Boom Creates Risk of Structural Damage, Test Finds. NYTimes.com article (free). Pull quote: “The data Dr. Gee collected last month did have some inconsistencies. When measuring just in the frequencies that humans typically hear — ignoring certain low and high frequencies — the Starship test launch in October had lower levels at all the test sites than the F.A.A. had projected.”

No Wires Needed! Quick and Safe Docking with Automated Mooring for Autonomous Ships. NewsWise.com article. Pull quote: ““This automated mooring system represents a key advancement in the safe docking of autonomous vessels and will play a pivotal role in the development of smart port infrastructure,” said Dr. Yongjin Kim. “We expect this solution to set a new standard in operational safety and efficiency across the marine industry.”” Another potentially vulnerable OT cyber system.

Starships and space policy. TheSpaceReview.com article. Pull quote: “Greg Autry, who served on the first Trump administration’s NASA transition team, offered a similar note of caution. “If it was just to show that we could beat China, if it was another flags and footprints mission, then I’d be for that,” Autry, currently associate provost of space commercialization and strategy at the University of Central Florida, said at the Beyond Earth Symposium. “But the Moon has both strategic purposes, militarily, and economic development purposes that Mars doesn’t.”” Looks at Musk as a force in the next administration.

Plant-based fabrics may be more toxic than polyester is to earthworms.CEN.ACS.org article.  Pull quote: “In the second set of experiments, earthworms exposed to environmentally relevant concentrations of viscose for 28 days showed decreased reproduction rates compared with those exposed to polyester fibers. In earthworms exposed to lyocell, the researchers found reduced growth rates and more burrowing and churning activity.” ‘All Natural’ does not mean non-toxic.

Coast Guard Publishes Notice of Availability of Chinese Crane MARSEC Directive – 11-19-24

Today the Coast Guard published a notice in the Federal Register (89 FR 91413-91414) announcing the availability of Maritime Security (MARSEC) Directive 105-5. That document, marked as Sensitive Security Information (SSI) under requirements of 33 CFR §101.405(a)(1), is not publicly available. This notice directs owners and operators of STS cranes manufactured by PRC companies to contact their local COTP or cognizant District Commander to acquire a copy of the Directive.

Today’s notice justifies the Directive by reporting that:

“STS cranes manufactured by PRC companies make up the largest share of the global ship-to-shore crane market and account for nearly 80% of the STS cranes at U.S. ports. By design, these cranes may be controlled, serviced, and programmed from remote locations, and those features potentially leave STS cranes manufactured by PRC companies vulnerable to exploitation, threatening the maritime elements of the national transportation system.”

As such the Coast Guard has issued MARSEC Directive 105-5 to extend and expand the requirements of MARSEC Directive 105-4 that was also announced by a similar Federal Register notice published on February 23^rd, 2024.

Review - 1 Advisory Published – 11-19-24

Today CISA’s NCCIC-ICS published a control system security advisory for products from Mitsubishi.

Mitsubishi Advisory - This advisory describes an improper validation of specified type of input vulnerability in the Mitsubishi MELSEC iQ-F Ethernet Module.

 

For more information on this advisory, as well as a brief look at recent update notes on NVD.NIST.gov progress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-11-19-24 - subscription required.

CISA Adds 2 Palo Alto Networks Vulnerabilities to KEV – 11-18-24

Yesterday CISA announced the addition of three vulnerabilities to their Known Exploited Vulnerabilities (KEV) catalog. Two of those vulnerabilities were for the Palo Alto Networks PAN-OS Management Interface. Both vulnerabilities were previously reported by Palo Alto Networks (see links below). CISA is requiring federal agencies using the Management Interface to apply “mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable”. The deadline for completing such actions is December 9^th, 2024.

The two vulnerabilities are:

• Missing authentication for critical function - CVE-2024-0012, and

• OS command injection - CVE-2024-9474

Palo Alto Networks has a report available providing additional information about the known exploits of these two vulnerabilities. It includes indicators of compromise (including IP addresses of identified command and control sites, and SHA-256 hashes for the exploit payload).