Saturday, November 17, 2018

Public ICS Disclosures – Week of 11-10-18


This week we have vendor updates of previously issued advisories from Siemens and an apparently uncoordinated vendor disclosure for products from SourceForge (an open source product web site).

Siemens Advisory Updates


As part of the swath of 16 advisories and updates issued by Siemens this week there were three updates that were not covered by NCCIC-ICS updates. These were for vulnerabilities addressed in ICS-CERT generic alerts; NCCIC-ICS does not update these alerts for new information from the existing vendor list on the alert, the links on those alerts already take interested parties to this latest information.

SSA-168644 v1.8 – Spectre and Meltdown Vulnerabilities in Industrial Products. Updated solution for RUGGEDCOM RX1400 VPE;
SSA-254686 v1.1 – Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products. Added solution for SIMATIC IPC647D, SIMATIC IPC847D, SIMATIC IPC647C,
SIMATIC IPC847C, SIMATIC IPC627C, SIMATIC IPC677C, SIMATIC IPC827C,
SIMOTION P320-4S, SIMOTION P320-4E;
SSA-268644 v1.2 – Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products; and

GPS Tracking System Vulnerabilities


Ihsan Sencan published an exploit for an SQL injection vulnerability in the SourceForge GPS Fleet/Vehicle Tracking System Using Open Source Traccar Server. There is no CVE associated with this exploit and SourceForge lists the software as “abandoned” so this is probably a 0-day exploit. The product webpage says that there were 48 downloads this week, but I suspect that most of those were security researchers following up on Sencan’s exploit release.

Friday, November 16, 2018

DHS Publishes Semiannual Regulatory Agenda – 11-16-18


Today the Department of Homeland Security (DHS) published their Fall 2018 Semiannual Regulatory Agenda in the Federal Register (83 FR 58031-58038). This is essentially an abstract of some of the information that was originally published in the Fall 2018 Unified Agenda. This Regulatory Agenda identifies a few of the rulemaking activities from the UA that agencies of DHS probably intend to getting around to in the coming six months or so, but is clearly not any indication of whether or not that activity will actually occur.

Some of the DHS rulemakings from this RA that I will be watching if/when they are actually published will be:

Homeland Security Acquisition Regulation: Safeguarding of Controlled Unclassified Sensitive Information (HSAR Case 2015-001);
Homeland Security Acquisition Regulation: Information Technology Security Awareness Training (HSAR Case 2015-002);

It is odd that the last of the rulemakings listed above is not actually explicated in the DHS document. Instead, you have to go to the Regulatory Information Service Center’s RA entry in the Federal Register to find the full explanation for the security training rulemaking.

Of course, there is nothing new here that was not published weeks ago in the UA; publishing it in the Federal Register just makes is slightly more official. It does not, however, mean that we will see these specific rulemakings any quicker. Rulemaking is like making fine wines, it takes a long time and you cannot tell until the process is completed how good the product actually is.

Thank goodness we are not relying on paper distribution of the Federal Register anymore, this would be a deforestation product.

Thursday, November 15, 2018

Senate Passes S 140 – 2018 CG Authorization


Yesterday the Senate adopted substitute language (S Amendment 4054) for S 140 which changed that bill to the Frank LoBiondo Coast Guard Authorization Act. The new version of this bill is basically a reorganization of the sections of the US Code that are applicable to the Coast Guard. Most of it is way over my head, but it will certainly mess with the way people will reference sections of the code that they have been working with for years.

There are two sections that caught my attention:

§ 514. Backup national timing system [pg S6849]; and
§ 602. Maritime Security Advisory Committees [pgS6853]

Section 514 looks very much like S 2220, the National Timing Resilience and Security Act of 2017. Like that bill it would require the Secretary of Transportation to establish a land-based alternative to the GPS timing signal generally based upon the old LORAN navigation system.

Section 602 would completely rewrite 46 USC 70112, the current authorizing language for both national and local MSACs. I do not follow the CG real closely, but the changes do not appear to be significant.

The revised bill goes back to the House. It is possible that the bill could be dealt with under the same unanimous consent process that was used earlier this week for HR 3359. It depends on if there are any controversial measures buried in the revised Senate language. It does not look like it from the way the bill slipped through the Senate.

Wednesday, November 14, 2018

HR 3359 Senate Amendment Accepted by House – CISA Authorization


Yesterday the House accepted the Senate’s amendment to HR 3359, the Cybersecurity and Infrastructure Security Agency Act of 2018. The bill creates the Cybersecurity and Infrastructure Security Agency (CISA) within DHS. The bill was passed earlier this year in the House. The Senate amendment was accepted by the House by ‘unanimous consent’, so no actual vote was taken, but a single voice in objection would have derailed the process.

The bill now goes to the President for signature. There has been no objection raised by the Administration about this bill. In fact, there has been lots of pressure to pass the measure.

8 Advisories and 5 Updates (all Siemens) Published


Yesterday the DHS NCCIC-ICS published eight control system security advisories and updated five previously published advisories; all for products from Siemens.

SIMATIC Panels Advisory


This advisory describes two vulnerabilities in the Siemens SIMATIC HMI and WinCC. The vulnerabilities were reported by Hosni Tounsi from Carthage Red Team. Siemens has newer versions that mitigate the vulnerability. There is no indication that Tounsi has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Path traversal - CVE-2018-13812; and
Open redirect - CVE-2018-13813

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow download of arbitrary files from the device, or allow URL redirections to untrusted websites.

SIMATIC IT Advisory


This advisory describes an improper authentication vulnerability in the Siemens SIMATIC IT Production Suite. The vulnerability is self-reported. Siemens has updated to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an attacker to compromise confidentiality, integrity and availability of the system.

SIMATIC Step 7 Advisory


This advisory describes an unprotected storage of credential in the Siemens SIMATIC STEP 7 (TIA Portal). This vulnerability is self-reported. Siemens has updates available that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to reconstruct passwords.

SIMATIC S7 Advisory


This advisory describes a resource exhaustion vulnerability in the Siemens SIMATIC S7. The vulnerability was reported by Younes Dragoni of Nozomi Networks. Siemens has a new version for the S7-1500 that mitigates the vulnerability. There is no indication that Dragoni was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition that could result in a loss of availability of the affected device.

SCALANCE S Advisory


This advisory describes a cross-site scripting vulnerability in the Siemens SCALANCE S firewalls. The vulnerability was reported by Nelson Berg of Applied Risk. Siemens has a new version that mitigates the vulnerability. There is no indication that Berg has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker using social engineering could remotely exploit this vulnerability to allow arbitrary script injection (XSS).

SIMATIC WinCC Advisory


This advisory describes a code injection vulnerability in the Siemens SIMATIC Panels and SIMATIC WinCC (TIA Portal). The vulnerability is self-reported. Siemens has updates available for all but one of the affected devices.

NCCIC reports that a relatively low-skilled attacker with network access could exploit the vulnerability to perform a HTTP header injection attack.

S7-400 Advisory


This advisory describes two improper input validation vulnerabilities in the Siemens S7-400 CPUs. The vulnerability was reported by CNCERT/CC. Siemens has provided specific workarounds to mitigate the vulnerabilities.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to crash the device being accessed which may require a manual reboot or firmware re-image to bring the system back to normal operation.

IEC 61850 Advisory


This advisory describes an improper access control vulnerability in the Siemens IEC 61850 system configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC. The vulnerability is self-reported. Siemens has updates to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to exfiltrate limited data from the system or execute code with operating system user permissions.

Industrial Products Update


This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th, November 28th, February 27th, 2018, May 3rd, 2018 May 15th, 2018, September 11th, 2018 and most recently on October 9th, 2018. The update provides new affected version and mitigation information for:

• SINAMICS S120;
• PN/PN Coupler;
• SIMATIC ET200 SP;
• SIMATIC S7-400 V; and
• SIMOCODE pro V PROFINET

SCALANCE Update


This update provides additional information on an advisory that was originally published on November 14th, 2017 and updated on December 5th, 2017, December 19th, 2017, January 25th, 2018 and again on April 24th, 2018. The update changed the update information for SCALANCE W-700 (IEEE 802.11n).

PROFINET Update


This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th,  November 28th, 2017January 18th, 2018, January 25th, 2018, January 27th, 2018, March 6th, 2018 and most recently on May 3rd, 2018. The update provides new affected version and mitigation information for:

• SINAMICS S120;
• SIMATIC ET 200SP (except IM155-6 PN ST); and
• SIMATIC Panels

OpenSSL Update


This update provides additional information on an advisory that was originally published on August 14th, 2018 and updated on September 11th, 2018 and again on October 9th, 2018. The update provides new affected version and mitigation information for:

• SIMATIC HMI WinCC Flexible; and
• SIMATIC IPC DiagMonitor

SIMATIC S7 Update


This update provides additional information on an advisory that was originally published on March 29th, 2018 and updated on April 24th, 2018, and again on June 12th, 2018. The update provides new affected version and migitagion information for:

• SIMATIC BATCH V8.2;
• OpenPCS 7 V8.2; and
• SIMATIC Route Control V8.2

NOTE: I will address the other four updates that Siemens published on Saturday.

Tuesday, November 13, 2018

Committee Hearings – Week of 11-11-18


The House and Senate are back in Washington for the first week of the 115th Lame Duck session. The hearing schedule is relatively lite this week. There is one hearing of potential interest that looks at DHS-DOD cybersecurity cooperation.

DHS-DOD Cybersecurity


On Wednesday there will be a joint hearing of the Emerging Threats and Capabilities Subcommittee (House Armed Services Committee) and the Cybersecurity and Infrastructure Protection Subcommittee (House Homeland Security Committee) on “Interagency Cyber Cooperation: Roles, Responsibilities and Authorities of the Department of Defense & the Department of Homeland Security”. The witness list includes:

• Ms. Jeanette Manfra, DHS;
• Kenneth Rapuano, DOD; and
LTG Bradford "B.J." Shwedo

Looking Ahead


Lame duck sessions are always unpredictable, particularly when there is an upcoming change in control of the House. On some issues we could see an increase in bipartisanship because departing members are freer to vote their personal conscience or beliefs because they no longer need to consider the desires of their constituents or financial supporters and on other issues the opposite will be true for the same reasons. Unfortunately, it is hard to predict which will rule on a particular issue.

There are two measures that I will personally be watching for in the coming weeks; the final spending bill (which includes DHS) and the extension of the CFATS program. The first will be publicly controversial mainly because of border wall spending and immigration issues. This may be a bill in the House where we see moderate, out-going Republicans working with Democrats to get a bill passed.

The CFATS situation is more complicated. Most of the controversies on the two bills involved (HR 6992 and S 3405) are being discussed behind the scenes in committee staffs so it is hard to tell what is going on. S 3405 could come to a floor vote (no debate, no amendments) in the Senate at any time once all of the infighting has been resolved. The House bill will probably require at least one hearing, probably two (Homeland Security and Energy and Commerce Committees) before it can come up for a vote on the floor. Of course, we could just see a one-year extension of the program added to the DHS minibus spending bill, but that would mean two Republican committee chairs in the House giving up their influence on the program.

The current deadline for the minibus is December 7th, but that could be extended up to and beyond (‘beyond’ is possible but highly unlikely) December 31st. In either case, passing that bill will effectively mark the passing of the 115th Congress so the CFATS issue will have to be cleared up by that time as well.

Saturday, November 10, 2018

Public ICS Disclosures – Week of 11-03-18


This week we have a vendor disclosure for products from Rockwell and researcher disclosures for products from D-Link and Advantech.

Rockwell Advisory


Rockwell published an advisory for an IP configuration vulnerability in their  Micrologic 1400 controllers and 1756 ControlLogix EtherNet/IP Communications Modules. The vulnerability was reported to Rockwell by ICS-CERT (and an NCCIC-ICS advisory should be expected this coming week). Rockwell has firmware updates available for currently supported products that mitigate the vulnerability.

NOTE: The advisory indicates that this might be a problem with the ODVA EtherNet/IP standard, so this vulnerability might affect products from other vendors as well.

D-Link Vulnerabilities


John Page (hyp3rlinx) reports three vulnerabilities in the D-Link Central WifiManager CWM-100. The reports indicate that D-Link has been notified of the vulnerabilities but has not communicated successful mitigation measures to Page. The reports include POC exploits.

The three reported vulnerabilities are:

Server-side request forgery - CVE-2018-15517; and
FTP server PORT bounce scan - CVE-2018-15516

Advantech Vulnerabilities


Tenable has published an advisory for three vulnerabilities in the Advantech WebAccess/SCADA 8.3.2. product. Chris Lane has published exploit code for two of the vulnerabilities. Tenable reports that Advantech has published a new version that mitigates the vulnerabilities. There is no indication that Tenable has verified the efficacy of the fix.

The three reported vulnerabilities are:

• Directory traversal (2) - CVE-2018-15705, and CVE-2018-15706; and
• Reflected cross-site scripting - CVE-2018-15707

 
/* Use this with templates/template-twocol.html */