Public ICS Disclosures – Week of 08-10-19

This week we have eight vendor notifications from Schneider (7) and Siemens; updates for four previouls published advisories from Schneider (2) and Siemens (2); as well as two exploit reports for previously published vulnerabilities in products from Wind River, and Cisco.

Schneider Advisories

Magelis Advisory

Schneider published an advisory describing an improper check for unusual or exceptional conditions vulnerability in their Magelis HMI Panel products. The vulnerability was reported by VAPT Team. Schneider provides generic workarounds to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Modicon 340 Advisory

Schneider published an advisory describing an improper check for unusual or exceptional conditions vulnerability in their Modicon M340 controllers. The vulnerability was reported by VAPT Team. Schneider provides generic workarounds to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Modicon Advisory

Schneider published an advisory describing three improper check for unusual or exceptional conditions vulnerabilities in their Modicon Ethernet / Serial RTU Modules. The vulnerability was reported by VAPT Team. Schneider provides generic workarounds to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

SoMachine Advisory

Schneider published an advisory describing an untrusted search path vulnerability in their SoMachine HVAC. The vulnerability was reported by Yongjun Liu of the nsfocus security team. Schneider has a new version that mitigates the vulnerability. There is no indiction that Yonguin has been provided an opportunity to verify the efficacy of the fix.

TelevisGo Advisory

Schneider published an advisory describing 22 vulnerabilities in the third party UltraVNC (remote accesss) software component embedded within the TelevisGo product. The vulnerabilities were reported by Kaspersky Labs. Schneider has a hot-fix available that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The 22 reported vulnerabilities are:

• Buffer errors (9) - CVE-2019-8258, CVE-2018-15361, CVE-2019-8262, CVE-2019-8263, CVE-2019-8269, CVE-2019-8271, CVE-2019-8273, CVE-2019-8274, and CVE-2019-8276;

• Resource management errors (2) - CVE-2019-8259, and CVE-2019-8277;

• Out-of-bounds read (8) - CVE-2019-8260, CVE-2019-8261, CVE-2019-8280, CVE-2019-8264, CVE-2019-8265, CVE-2019-8266, CVE-2019-8267, and CVE-2019-8270;

• Incorrect calculation (2) - CVE-2019-8268, CVE-2019-8272; and

• Improper access control - CVE-2019-8275.

Software Update Service Advisory

Schneider published an advisory describing a deserialization of trusted data vulnerability in their Software Update (SESU) SUT Service. The vulnerability was reported by Amir Preminger of Claroty. Schneider has a new version that mitigates the vulnerability. There is no indication that Preminger has been provided an opportunity to verify the efficacy of the fix.

spaceLYnk Advisory

Schneider published an advisory describing an authentication vulnerability in their  spaceLYnk and Wiser for KNX controllers. The vulnerability was reported by Sumedt Jitpukdebodin. Schneider has new versions that mitigate the vulnreabilty. There is no indication that Jitpukdebodin has been provided an opportunity to verify the efficacy of the fix.

Schneider Updates

Modicon Controllers Update

Schneider published an update that was originally published on May 14^th, 2019.  New information includes:

Added mitigation measures for M340;

Added four new vulnerabilities (links for reports w/exploits from Talos):

• Denial of service vulnerability - CVE-2019-6809;

• Denial of service vulnerability - CVE-2019-6828;

• Denial of service vulnerability - CVE-2019-6829; and

• Denial of service vulnerability - CVE-2019-6830

SCADAPack Update

Schneider published an update for an advisory that was originally published on May 24^th, 2017. New information includes:

• Updated researcher acknowledgement section;

• Corrected CVE ID from CVE-2017-6028 to CVE-2017-6034; and

• Corrected vulnerability description

Siemens Advisory

Siemens published an advisory describing two vulnerabilities in their SIMATIC S7-1200 and SIMATIC

S7-1500 CPU families.  The vulnerabilities were reported by Eli Biham, Sara Bitan, Aviad Carmel, and Alon Dankner, Uriel Malin, and Avishai Woo. Siemens has generic workarounds that mitigate the vulenrabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Man-in-the-middle vulnerability - CVE-2019-10929; and

• Code change vulnerability - CVE-2019-10943

Siemens Updates

ZombieLoad Update

Siemens published an update for an advisory that was originally published on July 9^th, 2019. New information includes:

• SIMATIC IPCs 427D, 477D, 627D, 627E, 647D, 647E, 677D, 677E, 827D, 847D, 847E; and

• FieldPG M6

GNU/Linux Update

Siemens published an update for an advisory that was originally published on November 27^th, 2019. New information includes:

• Added CVE-2018-19591, CVE-2019-11360, CVE-2019-13272; and

• Moved CVE2018-16862 from buildtime to runtime relevant

Cisco Exploit

Angelo Ruwantha published a Metasploit module for a vulnerability in the Cisco Adaptive Security Appliance; Cisco published an advisory on this vulnerability on June 6thy, 2018. NCCIC-ICS published an advisory for Rockwell Automation Allen-Bradley Stratix 5950 listing this vulnerability.

WindRiver (Urgent/11) Exploit

Zhou Yu published an exploit for an integer overflow vulnerability in the Wind River VxWorks (one of the Urgent/11 vulnerabilities).

Bills Introduced – 08-16-19

Yesterday with almost no congresscritters in Washington, the House and Senate both met in proforma session. Nine bills were introduced. One of those bills may receive future coverage in this blog:

HR 4189 To amend title 28, United States Code, to allow claims against foreign states for unlawful computer intrusion, and for other purposes. Rep. Bergman, Jack [R-MI-1]

I will be watching this bill for possible language specifically including control systems or critical infrastructure.

4 Advisories Published – 08-15-19

Yesterday the DHS NCCIC-ICS published four control system security advisories for products from Siemens (2), Fuji Electric, and Johnson Controls.

SINAMICS Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the web server of the Siemens SINAMICS control units. The vulnerability is self-reported. Siemens has updates available to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to perform a denial-of-service attack.

SCALANCE Advisory

This advisory describes two instances of an improper adherence to coding standards vulnerability in the Siemens SCALANCE products. The vulnerability is self-reported. Siemens has an update available that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to  lead to a denial of service or could allow an authenticated local user with physical access to the device to execute arbitrary commands on the device.

NOTE: There are still two advisories and an update that were published by Siemens earlier this week that have not been addressed by NCCIC-ICS. I will report further on them tomorrow.

Fuji Advisory

This advisory describes a stack-based buffer overflow in the Fuji Alpha5 Smart Loader servo  drive. The vulnerability was reported by Natnael Samson (@NattiSamson) via the Zero Day Initiative. Fuji has a new version that mitigates the vulnerability. There is no indication that Samson has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute code under the privileges of the application.

Johnson Controls Advisory

This advisory describes two vulnerabilities in the Johnson Controls Metasys building automation system. The vulnerability was reported by harpocrates.ghost. Johnson Controls has a new version that mitigates the vulnerabilities. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Reusing a nonce, key-pair in an encryption - CVE-2019-7593; and

• Use of hard-coded cryptographic key - CVE-2019-7594

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit these vulnerabilities to decrypt captured network traffic.

HR 3787 Introduced – UAS Coordinator

Last month Rep. Perry (R,PA) introduced HR 3787, the DHS Countering Unmanned Aircraft Systems Coordinator Act. The bill would require the DHS Secretary to designate a Counter Unmanned Aircraft Systems (UAS) Coordinator to “coordinate with relevant Department offices and components on the development of policies and plans to counter threats associated with UAS” {new §321(a)}. The bill is functionally identical to HR 6438 which was passed in the House in the 115^th Congress. A related bill, S 1867, was introduced in June in the Senate.

The only difference in this bill and last years House bill is the absence of some administrative house cleaning measures in §2(b) of the bill that were addressed in Homeland Security spending bill passed earlier this year.

Moving Forward

Perry is no longer a member of the House Homeland Security Committee, the committee to which this bill was assigned for consideration. This means that, unless he gets a cosponsor for the bill who is on the Committee, there is little chance that the bill will be considered.

The bill did get bipartisan support in the 115^th Congress and it almost certainly would in this session as well.

Commentary

As I mentioned last year, this bill does not provide for any exceptions to a number of federal statutes that would currently prohibit private sector organizations taking any actions to intercept, take down, or track the owner of a UAS. DOD has been provided substantial (almost sweeping) authority to take actions against UAS under 10 USC 130i, but similar authority provided to DHS and DOJ (6 USC 124n)was significantly constrained. And more importantly, no such authority has been extended to the private sector.

Interestingly, the Senate bill is closely tied to the authorizations provided in §124n and actually would terminate the authority for the position when §124n terminates on October 25^th, 2022. The House bill is not tied to the DHS counter-UAS authority and has no termination provisions.

I think that this bill could be improved by expanding the authorized activities of DHS under §124n to include the protection of facilities covered under the Chemical Facilities Anti-Terrorism Security (CFATS) program by inserting a new §2(b) into the bill {while re-designating the current (b) as (c)}

(b) Chemical Facility Anti-Terrorism Standards Program

(1) In general – 6 USC 124n(k)(3)(C)(i) is amended by adding (IV):

“(IV) protection of facilities covered under 6 CFR Part 27;

(2) The Secretary will publish regulations amending 6 CFR part 27 providing procedures for covered facilities that report quantities of release security issue chemicals of interest as defined in Appendix A to 6 CFR Part 27 to:

(A) track UAS approaching within ¼ mile of the reported facility boundaries;

(B) intercept communications between the controller and the UAS in accordance with §124n(b)(1)(A);

(C) warn the operator in accordance with §124n(b)(1)(B); and

(D) seize or exercise control of the UAS that is in the air space directly over the reported facility boundaries in accordance with §124n(b)(1)(D) if and only if the operator has been warned as in (C) above.

PHMSA Publishes Petition Response NPRM – 08-14-19

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice of proposed rulemaking in the Federal Register (84 FR 41556-41594) outlining proposed changes to the Hazardous Material Regulations (HMR) resulting from petitions to reduce regulatory burdens.

The proposed changes include 20 provisions addressing:

• Phase-Out of Non-Normalized Tank Cars Used To Transport PIH Materials;

• Limited Quantity Shipments of Hydrogen Peroxide;

• Markings on Portable Tanks;

• Reconditioning of Metal Drums;

• Limited Quantity Harmonization;

• Mobile Refrigeration Units;

• Incorporation by Reference of CGA Standards;

• Special Provision for Explosives;

• EX Numbers and Safety Devices;

• Alternative Reports for Cargo Tanks;

• Weight Tolerances for Paper Shipping Sacks;

• Markings on Closed Transport Containers;

• Finalization of the HM-246 Tank Car Standard;

• Phase-Out of Non-HM-246 Compliant Rail Tank Cars;

• Allow Non-RCRA Waste To Use Lab Pack Exception;

• Incorporation of ASME Code Sections II, VIII, and IX;

• Import of Foreign Pi-Marked Cylinders;

• Placement of the Word “Stabilized” in Shipping Description;

• Incorporation by Reference of an IME Standard; and

• Incorporation by Reference of an APA Standard

PHMSA is soliciting public comments on these proposed changes to the HMR. Comments need to be submitted by October 15^th, 2019. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #PHMSA-2017-0120).

DOE Calls for Comments on Cybersecurity Maturity Model

Today the DOE published a request for comments in the Federal Register (84 FR 40399-40400) on version 2.0 of its Cybersecurity Capability Maturity Model (C2M2). According to the notice the “C2M2 Version 2.0 leverages and builds upon existing efforts, models, and cybersecurity best practices to advance the model by adjusting to new technologies, practices, and environmental factors.”

The development of version 2.0 includes:

• Establishing a Cybersecurity Architecture domain

• Separating the maturity indicator levels (MILs) from the Information Sharing and Communications domain to include sharing practices in the Threat and Vulnerability Management and Situational Awareness domains

• Movement of Continuity of Operations MILs from the Incident and Event Response to the Cybersecurity Program Management domain to account for continuity activities beyond response events

• Increasing the use of common language throughout the model.

Public comments are being solicited, but there are no instructions within the document on how to submit comments. It does not look like the Federal eRulemaking Portal could be used since there is no docket number provided in the notice. An email address has been provided for Timothy Kocher, who is the DOE officer who signed the notice, but it would be unusual for public comments to be sent directly to him. I have an email in route to Kocher and will update this post as more information becomes available.

Bills Introduced – 08-13-19

Yesterday with both the House and Senate meeting in proforma session (absolute minimal attendance) there were six bills introduced. One of these may receive future coverage in this blog:

HR 4187 To penalize acts of domestic terrorism, and for other purposes. Rep. Weber, Randy K., Sr. [R-TX-14]

I will be watching this bill for specific language for the definition of ‘domestic terrorism’ that includes attacks on critical infrastructure (like chemical plants) or attacks on industrial control systems. I am not holding my breath; this is probably just a knee jerk reaction to recent mass shootings.