Sunday, April 14, 2024

Review – Public ICS Disclosures – Week of 4-6-24 – Part 2

For part two we have three additional vendor disclosures from B&R, Schneider and Welotec. We also have 13 vendor updates from HP (2) and Siemens (11). Finally, there are four researcher reports for vulnerabilities in products from TP-Link.

Advisories

B&R Advisory - B&R published an advisory that discusses four vulnerabilities (one with known exploit) in their APC4100, APC910, and PPC900 products.

Schneider Advisory - Schneider published an advisory that discusses an improper privilege management vulnerability in their Easergy Studio product.

Welotec Advisory - CERT-VDE published an advisory that describes two vulnerabilities in the Welotec TK500v1 router series.

Updates

HP Update #1 - HP published an update for their PC Bios advisory that was originally published on March 12th, 2024.

HP Update #2 - HP published an update for their March 2024 BIOS security advisory that was originally published on March 13th, 2024.

Siemens Update #1 - Siemens published an update for their FortiGate NGFW advisory that was originally published on March 12th, 2024.

Siemens Update #2 - Siemens published an update for their SIMATIC S7-1500 BIOS advisory that was originally published on June 16th, 2023 and most recently updated on December 12th, 2023.

Siemens Update #3 - Siemens published an update for their GNU/Linux subsystem advisory that was originally published on June 13th, 2023 and most recently updated on February 13th, 2024.

Siemens Update #4 - Siemens published an update for their SIMATIC WinCC advisory that was originally published on February 13th, 2024.

Siemens Update #5 - Siemens published an update for their Scalance W1750D advisory that was originally published on February 13th, 2024.

Siemens Update #6 - Siemens published an update for their OpenSSL advisory that was originally published on June 14th, 2022 and most recently updated on January 9th, 2024.

Siemens Update #7 - Siemens published an update for their OPC UA Implementation advisory was originally published on September 12th, 2023 and most recently updated on February 13th, 2024.

Siemens Update #8 – Siemens published an update for their OPC Foundation advisory that was originally published on April 11th, 2023 and most recently updated on November 14th, 2023.

Siemens Update # 9 - Siemens published an update for their SCALANCE W700 advisory that was originally published on November 14th, 2023.

Siemens Update #10 - Siemens published an update for their SIMATIC S7-1500 advisory that was or published on December 12th, 2023 and most recently updated on March 12th, 2024.

Siemens Update #11 - Siemens published an update for their OpenSSL Vulnerabilities advisory that was originally published on March 14th, 2023 and most recently updated on October 10th, 2023.

Researcher Reports

TP-Link Reports - Talos published four reports describing twelve vulnerabilities in the TP-Link AC1350 Wireless MU-MIMO Gigabit Access Point.

 

For more information on these disclosures, including links to third parties advisories and summaries of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-fd8 - subscription required.

Saturday, April 13, 2024

State Actions on CFATS – 4-11-24

I do not normally cover State level legislative efforts, as each State legislature has their own peculiar ways of dealing with legislation, but today I was pointed at an article on NebraskaExaminer.com that includes a discussion about an unusual legislative effort to deal with the fallout from Senate inaction on HR 4470, the CFATS reauthorization bill. Back in January Nebraska State Legislator Bostar introduced LB1048. The bill would require a CFATS covered facility to participate in CISA’s ChemLock program until such time as the CFATS program is reauthorized.

The ChemLock program is a voluntary program that CISA developed to provide chemical security assistance to chemical facilities that were not covered by the CFATS program. While there are a number of important features to that program, it is by no means a substitute for CISA’s oversight of the CFATS program. Still, I can understand Bostar’s concern about the Senate’s inaction on the CFATS reauthorization.

OMB Approves EPA PFOA/PFOS CERCLA Final Rule

Yesterday, OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the Environmental Protection Agency on “Designating PFOA and PFOS as CERCLA Hazardous Substances”. The notice of proposed rulemaking for this action was published on September 6th, 2022.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“Under the Comprehensive Environmental Response, Compensation, and Liability Act of 1980, as amended (“CERCLA” or “Superfund”), the Environmental Protection Agency (EPA or the Agency) is moving to finalize the designation of perfluorooctanoic acid (PFOA) and perfluoro octane sulfonic acid (PFOS), including their salts and structural isomers, as hazardous substances. CERCLA authorizes the Administrator to promulgate regulations designating as hazardous substances such elements, compounds, mixtures, solutions, and substances which, when released into the environment, may present substantial danger to the public health or welfare or the environment. Such a designation would ultimately facilitate cleanup of contaminated sites and reduce human exposure to these “forever” chemicals.”

We could see this final rule published in the Federal Register in the next week or two. I do not expect that I will cover this rulemaking beyond announcing it in the appropriate Short Takes post when it is published.

Chemical Incident Reporting – Week of 4-6-24

NOTE: See here for series background.

San Mateo, CA – 4-4-24

Local News Reports: Here, here, and here.

Pool supply pickup truck overturned, spilling 24-gallons of chlorine bleach. No injuries.

Not CSB reportable; a transportation incident, not a fixed site issue. 

Review - Public ICS Disclosures – Week of 4-6-24 – Part 1

This week for Part 1 we have 20 vendor disclosures from B&R, Broadcom, FortiGuard (3), HP, HPE (3), Insyde, Palo Alto Networks (8), Pepperl+Fuchs, Philips, and Rockwell.

Advisories

B&R Advisory - B&R published an advisory that discusses five vulnerabilities (one with known exploit) in their APROL product.

Broadcom Advisory - Broadcom published an advisory that discusses the XZ Utils Data vulnerability.

FortiGuard Advisory #1 - FortiGuard published an advisory that describes an exposure of sensitive information to unauthorized actor vulnerability in their FortiOS product.

FortiGuard Advisory #2 - FortiGuard published an advisory that describes a use of externally controlled format string vulnerability in their FortiOS product.

FortiGuard Advisory #3 - FortiGuard published an advisory that describes an insufficiently protected credentials vulnerability in their FortiOS and FortiProxy products.

HP Advisory - HP published an advisory that discusses 84 vulnerabilities in their ThinPro products. These are third-party vulnerabilities.

HPE Advisory #1 - HPE published an advisory that describes a cross-site request forgery in their OfficeConnect switches.

HPE Advisory #2 - HPE published an advisory that describes an authentication bypass vulnerability in their FlexFabric and FlexNetwork switches.

HPE Advisory #3 - HPE published an advisory that discusses eleven vulnerabilities {one listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog} in their Unified Correlation Analyzer.

Insyde Advisory - Insyde published an advisory that describes an out-of-bounds write vulnerability in their PnpSmm application.

Palo Alto Network Advisory #1 - Palo Alto Networks published an advisory that discusses eleven vulnerabilities (one with known exploit) in their PAN-OS product.

Palo Alto Networks Advisory #2 - Palo Alto Networks published an advisory that describes an incorrect authorization vulnerability in their GlobalProtect SSL VPN.

Palo Alto Networks Advisory #3 - Palo Alto Networks published an advisory that describes an inadequate encryption strength vulnerability in their PAN-OS product.

Palo Alto Network Advisory #4 - Palo Alto Networks published an advisory that describes an interpretation conflict vulnerability in PAN-OS product.

Palo Alto Networks Advisory #5 - Palo Alto Networks published an advisory that describes an interpretation conflict vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #6 - Palo Alto Networks published an advisory that describes an allocation of resources without limit or throttling vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #7 - Palo Alto Networks published an advisory that describes a NULL pointer dereference vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #8 - Palo Alto Networks published an advisory that describes an improper ownership management vulnerability in their PAN OS product.

Pepperl+Fuchs Advisory - CERT-VDE published an advisory that discusses eight vulnerabilities (including three with known exploits) in the Pepperl+Fuchs ICES2 and ICES3 products.

Philips Advisory - Philips published an advisory that discusses the Terrapin Attack vulnerability.

Rockwell Advisory - Rockwell published an advisory that describes an invalid header value vulnerability in their ControlLogix and GuardLogix products.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-3bc - subscription required.

Transportation Chemical Incidents – Week of 3-9-24

Reporting Background

See this post for explanation, with an update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary (links are to accident report)

• Number of incidents – 484 (455 highway, 28 air, 1 rail)

• Serious incidents – 3 (3 Bulk release, 0 injuries, 0 deaths, 1 major artery closed)

• Largest container involved – 7,500-gal (Diesel Fuel), car accident damaged loading lines stored on trailer. 25-gal spilled.

• Largest amount spilled – 400-lbs (Calcium Hypochlorite, Hydrated or Calcium Hypochlorite, Hydrated Mixtures, With Not Less Than 5.5% But Not More Than 16% Water) plastic container damaged in material handling.

NOTE: There was an incident involving a DOT 105J400W railcar (Petroleum Gases, Liquefied or Liquefied Petroleum Gas), but the database contains no size entry for that incident, so it does not make the list as the 'largest container'. 

Most Interesting Chemical: Furfuryl Alcohol – Used as a monomer in the manufacture of furan resins, will polymerize rapidly and at times with explosive force in the presence of strong mineral acids. A clear colorless liquid. Flash point 167°F. Boiling point 171°F. Denser than water. Contact may irritate skin, eyes and mucous membranes. May be toxic by ingestion and skin contact and moderately toxic by inhalation.



Friday, April 12, 2024

Short Takes – 4-12-24

Japanese astronaut to be first non-American to set foot on moon. Phys.org article. Pull quote: “"Two Japanese astronauts will join future American missions, and one will become the first non-American ever to land on the moon," Biden said in a press conference with Kishida.”

More states are finding bird flu in cattle. This is what scientists are watching for. NPR.org article. Pull quote: “There are still big questions about exactly how bird flu plays out in cattle, since it's only now being followed closely. "There certainly are many mutations that occurred with this jump from wild birds into cattle and we don't necessarily understand what they mean," says Hill.”

SpaceX all set for a record-breaking rocket launch on Friday. DigitalTrends.com article. Pull quote: “Those tuning in will witness the Falcon 9 rocket climb into the sky for a record 20th time, along with stage separation and the deployment of SpaceX’s internet satellites. The webcast will also show the first-stage booster landing upright on the A Shortfall of Gravitas droneship in the Atlantic Ocean about eight minutes after launch, a feat that will pave the way for the rocket’s 21st flight.” NOTE: This did happen today.

The Islamic State in Khorasan Province: Exploiting a Counterterrorism Gap. CSIS.org article. Pull quote: “ISKP is a wholly rejectionist group, meaning that it opposes all the governments in the region as well as the major powers allied with them. This stance is an anomaly in South Asia where most militant groups benefit from at least one government backer. Instigating so many enemies at the same time should be a losing strategy; it certainly was for the Islamic State core in Iraq and Syria. But there has not been such cooperation against ISKP. Instead, it has exploited three counterterrorism gaps to plot and conduct attacks in Afghanistan, the broader region, and beyond.”

Scientists discover first algae that can fix nitrogen — thanks to a tiny cell structure. Nature.com article. Pull quote: “Understanding how the nitroplast interacts with its host cell could support efforts to engineer crops that can fix their own nitrogen, says Zehr. This would reduce the need for nitrogen-based fertilizers and avoid some of the environmental damage they cause. “The tricks that are involved in making this system work could be used in engineering land plants,” he says.”

 
/* Use this with templates/template-twocol.html */