Wednesday, October 31, 2018

One Advisory and Two Updates Published


Yesterday the DHS NCCIC-ICS published one new control system security advisory and updates for two previously published advisories.

PEPPERL+FUCHS Advisory


This advisory describes and improper privilege management vulnerability in the PEPPERL+FUCHS CT50-Ex. This vulnerability is being self-reported. PEPPERL+FUCHS has an update available that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow a malicious third-party application to gain elevated privileges and obtain access to sensitive information.

NOTE: I discussed this vulnerability (and the associated Honeywell advisory) two weeks ago.

Rockwell Update


This update provides new information on an advisory that was originally reported on March 1st, 2016. The new information includes:

• Report of a publicly available exploit;
• Added affected products and associated mitigation measures;
• Added a second reporting researcher {Venkatesh Sivakumar (@PranavVenkatS)}; and
Added additional mitigation measures.

NOTE: Rockwell has not updated their security advisory to reflect these changes.

Vecna Update


This update provides new information on an advisory that was originally published on April 24th, 2018. The new information includes:

• Report of remote exploitability;
• Added two new vulnerabilities;
• Expanded exploit risk;
• Clarified affected versions; and
• Added three new vulnerabilities

ISCD Updates CFATS Web Site – 10-30-18


Yesterday the DHS Infrastructure Security Compliance Division (ISCD) updated their Chemical Facility Anti-Terrorism Standards (CFATS) program web site. Significant changes were made to the CFATS landing page and the CFATS Resources page. Actually, the changes to the landing page were mainly the removal of the ‘CFATS Announcement’ section that dated back to August.

CFATS Resources


The CFATS Resources page is basically a listing of links to publications about the CFATS program. A new category of documents (Industry-related Chemicals Fact Sheets) was added to the page and a new fact sheet (CFATS Resubmitting a Top-Screen Fact Sheet) was added to the existing Fact Sheets section of the page.

The new industry fact sheets section provides links to a number of industry specific fact sheets about the CFATS program. These fact sheets are part of the ongoing outreach effort that CFATS is undertaking to ensure that all facilities with holdings of DHS chemicals of interest (COI) know about their CFATS Top Screen reporting requirements. I have written about a number of these fact sheets as they have been published, but this new section provides links to fact sheets that I had not seen before. Nothing really new in the fact sheets, they are just targeting industries that had not yet been singled out for attention. The new industries include:


There is one minor problem with this new ‘fact sheet’ section on the page; all of the links take you to the same separate ‘Industry-related Chemicals Fact Sheets’ page where an identical list of industries provides links to the actual fact sheets. It would be less disruptive if that intermediate page were removed.

NOTE: These new fact sheets were also reported on the CFATS Knowledge Center.

Resubmitting a Top Screen


This new fact sheet (actually dated ‘November 2018’) addresses the issue of when facilities are required to resubmit Top Screens. In addition to the Tier-specific periodic resubmission specified in the CFATS regulations it mentions the ‘material modification’ requirements. ISCD has had a continuing problem with providing industry with a concrete definition of this slippery term. The major reason for this is that ISCD has not been willing to share the details of their risk assessment model so that industry could see exactly what type and scope of changes could result in a change of their facility tiering.

This new fact sheet does provide some new information. Along with the addition or deletion of a COI from the facility inventory, ISCD now lists “Changes to quantity, location, or packaging of a COI as previously reported on a Top-Screen” as a category of activities that could trigger a requirement to resubmit a Top Screen.

To limit the number of Top Screen submissions that a facility might have to submit, ISCD does offer this bit of advice:

“As a best practice, DHS recommends that a facility predict the highest expected quantity and concentration of COI it anticipates possessing at a given time over the lifecycle of the facility’s operations to ensure more efficient reporting.”

Unfortunately, following this advice will could also result in the requirement to maintain a security system for a Tier ranking higher than the facility deserves on a routine basis. It would be more helpful to facilities if ISCD were able to tell facilities what level of inventory for currently listed COI would trigger an increase in Tier ranking. That way facilities could put administrative controls into place to ensure that that inventory level was not reached without a specific consideration of the costs of added security measures.

Monday, October 29, 2018

CEII Admin Procedures NPRM Published


The Department of Energy published a notice of proposed rulemaking (NPRM) today in the Federal Register (83 FR 54268-54278) describing the DOE’s proposed procedures for the designation and control of Critical Electric Infrastructure Information (CEII) that would parallel the Federal Energy Regulatory Commission’s rules on CEII (18 CFR 388.113). This rule implements the CEII requirements set forth in §61003(d) of the 2015 FAST Act {PL 114-94, 129 STAT. 1773; codified at 16 USC 824o-1(d)}.

The NPRM would add 10 CFR 1004.13, Critical Electric Infrastructure Information. This would include sub-paragraphs for:

Protection of CEII (Note: This is apparently mismarked at ‘(6)’ not ‘(g)’ in the NPRM);

Readers are reminded that CEII is a listed type of controlled unclassified information (CUI) under the Information Security Oversight Office (ISOO) regulations (32 CFR 2002). Where the requirements of this new DOE rule do not exceed the requirements of the ISOO regulation, the ISOO regulation supersedes these requirements.

DOE is soliciting comments on this NPRM. Comments must be received by December 28th, 2018. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; RIN 1901-AB44).

Saturday, October 27, 2018

Public ICS Disclosures – Week of 10-20-18


This week we have two vendor notifications for products from Schneider Electric and Eaton.

Schneider Advisory


This advisory describes a DLL hijacking vulnerability in the Schneider Electric Software Update (SESU) which is installed with a wide variety of Schneider products. The vulnerability was reported by Haojun Hou (ADLab of Venustech). Schneider has an update available to mitigate the vulnerability. There is no indication that Haojun has been provided an opportunity to verify the efficacy of the fix.

Eaton Advisory


This advisory mentions an un-explicated vulnerability in the Eaton Network Card-MS for UPS. This vulnerability is apparently being self-reported. Eaton has a newer version of the firmware that mitigates the vulnerability.

NOTE: This is about the most worthless security notification that I have ever seen. Not only does it not describe the vulnerability (or provide a CVE number, or describe the associated risk), but the “link” to cybersecurity whitepaper which presumably provides potentially useful generic workaround information for power distribution systems is not actually a link; it is just the blue-underlined word “here”. Oh, and by the way, how many people know the firmware version number of the network communication card is in their UPS?

Thursday, October 25, 2018

Two Advisories Published


Today the DHS NCCIC-ICS published two control system security advisories for products from Advantech and GEOVAP.

Advantech Advisory


This advisory describes two vulnerabilities in the Advantech WebAccess application. The vulnerability was reported by Mat Powell via the Zero Day Initiative. Advantech has a new version (the same version that mitigated Tuesday’s vulnerabilities) that mitigates the vulnerabilities. There is no indication that Powell has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper Access Control - CVE-2018-17908; and
Stack-based buffer overflow - CVE-2018-17910

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow for arbitrary remote code execution.

NOTE: It is interesting that Matt has two Advantech advisories this week where he is the security researcher. Looking at the CVE numbers it looks like there was at least some delay between the reporting of the two sets of vulnerabilities. Not surprising that Advantech would fix all five vulnerabilities in the same version; finding vulnerabilities almost certainly takes less time than fixing them.

GEOVAP Advisory


This advisory describes a cross-site scripting vulnerability in the GEOVAP Reliance 4 SCADA/HMI. The vulnerability was reported by Ismail Mert AY AK. GEOVAP has a new version that mitigates the vulnerability. There is no indication that Ismail has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated attacker to use HTTP proxy to inject arbitrary Javascript in a specially crafted HTTP request that may reflect it back in the HTTP response.

Lock-Out/Tag-Out ANPRM to OMB


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received an advanced notice of proposed rulemaking (ANPRM) from DOL’s Occupational Health and Safety Administration (OSHA) for changes to their Lock-Out/Tag-Out regulations.

The abstract for this rulemaking in the Fall 2018 Unified Agenda notes:

“Recent technological advancements that employ computer-based controls of hazardous energy (e.g., mechanical, electrical, pneumatic, chemical, and radiation) conflict with OSHA's existing lock-out/tag-out standard. The use of these computer-based controls has become more prevalent as equipment manufactures modernize their designs. Additionally, there are national consensus standards and international standards harmonization that govern the design and use of computer-based controls: this approach of controlling hazardous energy is more accepted in other nations, which raises issues of needing to harmonize U.S. standards with those of other countries. The Agency has recently seen an increase in requests for variances for these devices. This RFI will be useful in understanding the strengths and limitations of this new technology, as well as potential hazards to workers.”

One of the contract jobs I did during my first break from the chemical industry was as an industrial safety instructor for a major greenfield manufacturing facility. One of the classes that I spent a great deal of time developing and then presenting to new employees was the mandatory LOTO training, both for affected and authorized employees. I have a special place in my heart for this safety program. But the reason that I am including this rulemaking notice in my blog has more to do with the cybersecurity implications of the possible rulemaking.

Anytime that we start to consider adding “computer-based controls of hazardous energy” to a safety program we need to ensure that the security of those controls are very carefully taken into account. Failure to do so will place workers in needless danger.

Wednesday, October 24, 2018

Three Advisories Published


Yesterday the DHS NCCIC-ICS published three control system security advisories for products from Telecrane, GAIN Electronics and Advantech.

Telecrane Advisory


This advisory describes an authentication bypass by capture-replay vulnerability in the Telecrane F25 Series remote control. The vulnerability was reported by Jonathan Andersson, Philippe Z Lin, Akira Urano, Marco Balduzzi, Federico Maggi, Stephen Hilt, and Rainer Vosseler via the Zero Day Intiative. Telecrane has a new firmware version that mitigates the vulnerability. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to view commands, replay commands, control the device, or stop the device from running.

GAIN Advisory


This advisory describes three vulnerabilities in the Gain SAGA1-L series remote control. The vulnerability was reported by Marco Balduzzi, Philippe Z Lin, Federico Maggi, Jonathan Andersson, Urano Akira, Stephen Hilt, and Rainer Vosseler via ZDI. GAIN has a new firmware version that mitigates the vulnerability. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Authentication bypass by capture replay - CVE-2018-17903;
• Improper access control - CVE-2018-20783; and
Improper authentication - CVE-2018-17923

NCCIC-ICS reports that a relatively low-skilled attacker with access to an adjacent network could exploit the vulnerability to allow remote code execution and potentially delete the product’s firmware.

NOTE: It is interesting that these researchers have found similar capture and replay vulnerabilities in two different industrial remote control systems. As these wireless systems become more common will we continue to see this type of vulnerability?

Advantech Advisory


This advisory describes four vulnerabilities in the Advantech WebAccess application. The vulnerabilities were reported by Matt Powell via ZDI. Advantech has a new version available that mitigates the vulnerability. There is no indication that Powell has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-14816;
• External control of filename or path - CVE-2018-14820;
• Improper privilege management - CVE-2018-14828; and
• Path traversal - CVE-2018-14806

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to execute arbitrary code, access files and perform actions at a privileged level, or delete files on the system.

Tuesday, October 23, 2018

HR 7076 Introduced – Electronically Controlled Breaks


Last week Rep. Herrera-Beutler introduced HR 7076, the Oil and Flammable Material Rail Transportation Safety Act. The bill would require DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) to re-instate 49 CFR 174.310 requirements for electronically controlled pneumatic (ECP) brakes on high-hazard flammable unit trains (HHFUT) operating in excess of 30-mph.

Those ECP requirements were removed by PHMSA in a final rule on September 25th, 2018. That action was required by Congress in §7311 of the FAST Act (PL 114-94, 129 Stat. 1601) after PHMSA published the new regulatory impact analysis (RIA) (.PDF Download) required by that act that showed that the costs of the ECP requirement significantly outweighed the benefits (see pgs 78-9 of the RIA).

Section 2 of the bill would nullify that rulemaking and return the ECP brake requirements to §174.310.

Moving Forward


Herrera-Beutler is not a member of the House Transportation and Infrastructure Committee to which this bill was assigned for consideration. This means that she is unlikely to have the influence necessary to have the bill considered in Committee.

There would be significant railroad opposition to this bill which means that it would likely draw major opposition in Committee and on the floor of the House if it were to make it that far. The bill is extremely unlikely to be considered in the 115th Congress and would not pass if it were.

Commentary


This is an unusual bill to be proposed by a Republican, but her district is well known for its concern about the oil trains moving through the area, so the bill makes good sense from a campaign perspective in that district. I doubt that there is any downside in corporate support because of the introduction of this measure since the railroads would certainly understand that this bill will not go anywhere in this Congress.

Saturday, October 20, 2018

ICS Disclosures – Week of 10-13-18


This week we have a vendor disclosure from PEPPERL+FUCHS via CERT-VDE. There were also a significant number of exploits published this week for a variety of IP cameras.

PEPPERL+FUCHS Advisory


This advisory describes an Android privilege escalation vulnerability in the PEPPERL+FUCHS CT50-Ex hand-held computer for hazardous environments {NOTE: This is apparently the PEPPERL+FUCHS (ecom) rebrand of the Honeywell Dolphin CT50 -Ex}. The vulnerability was self-reported by PEPPERL+FUCHS. There is an update available to mitigate the vulnerability.

NOTE: This vulnerability was reported by Honeywell and covered by NCCIC-ICS in ICSA-18-256-01 back in September.

I wonder what other 2nd tier vendors have rebranded this vulnerable Honeywell product without informing their customers about the Honeywell advisory.

IP Camera Exploits


Gjoko Krstic (LiquidWorm) released exploit code for three IP cameras along with advisories on the seven vulnerabilities via Zero Science Labs. For the first six vulnerabilities (for products from FLIR Systems) listed below, the disclosures were coordinated with the vendor. The TP-Link advisory does not contain any vendor coordination information so that may be a zero vulnerability.


Bills Introduced – 10-19-18


Yesterday with both the House and Senate meeting in pro forma session (ie: 90+% of the congresscritters staying at home campaigning) there were 10 bills introduced. One of those bills is likely to receive further consideration in this blog:

HR 7076 To reinstate requirements pertaining to electronically controlled pneumatic brake systems on high-hazard flammable unit trains, and for other purposes. Rep. Herrera Beutler, Jaime [R-WA-3] 

Since Herrera-Beutler is representing Vancouver, WA, which is well known for its desire to restrict the operation of oil trains, I suspect that this bill is more about campaigning than legislating. Still, it will be interesting to see how bill intends to get around the cost-benefit issue that allowed the Trump Administration to kill the ECP brake requirements.



Thursday, October 18, 2018

Omron Advisory Published


Yesterday the DHS NCCIC-ICS published a control system security advisory for products from Omron. The advisory describes four vulnerabilities in the Omron CX-Supervisor. The vulnerabilities were reported by Mat Powell, Ariele Caltabiano (kimiya) of 9SG Security Team, and b0nd @garage4hackers via the Zero Day Initiative. Omron has a new version that mitigates the vulnerabilities. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2018-17905;
• Out-of-bounds read - CVE-2018-17907;
• Use after free - CVE-2018-17909; and
Incorrect type version or cast - CVE-2018-17913

NCCIC-ICS reports that an uncharacterized hacker with uncharacterized access could exploit these vulnerabilities to execute code under the context of the application, corrupt objects, and force the application to read a value outside of an array.

Wednesday, October 17, 2018

Fall 2018 Unified Agenda – DHS


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) published the Fall 2018 Regulatory Agenda. In the DHS section of the Agenda we continue to see movement between the Active and Inactive portions of the Agenda, but there are no new rulemakings on the Agenda that will be covered here.

Active Agenda


The table below shows the Active Agenda items that would be covered here in this blog. Rulemaking titles in italics indicate actions moved from the Inactive Agenda in the previous version of the Agenda.

OS
Final Rule
Ammonium Nitrate Security Program
OS
Final Rule
Homeland Security Acquisition Regulation: Safeguarding of Controlled Unclassified Sensitive Information (HSAR Case 2015-001)
OS
Final Rule
Homeland Security Acquisition Regulation: Information Technology Security Awareness Training (HSAR Case 2015-002)
USCG
Final Rule
Marine Transportation--Related Facility Response Plans for Hazardous Substances
USCG
Final Rule
2013 Liquid Chemical Categorization Updates
USCG
Final Rule
TWIC Reader Requirements; Delay of Effective Date
TSA
Proposed Rule
Vetting of Certain Surface Transportation Employees
TSA
Final Rule
Protection of Sensitive Security Information
TSA
Final Rule
Security Training for Surface Transportation Employees

The Ammonium Nitrate Security Program has been a problem for DHS from the beginning. It was mandated by Congress in 2007, but DHS has been unable to craft regulations implementing the requirements of that mandate yet meet cost-benefit analysis requirements for federal regulations. In 2016 DHS commissioned a study on the larger IED precursor issue and a public report on the study was published last year. In the abstract for the rulemaking in this version of the Agenda DHS notes:

“DHS intends to publish a notice announcing the availability of a redacted version of a technical report developed by Sandia National Laboratories titled Ammonium Nitrate Security Program Technical Assessment.”  The report documents Sandia National Laboratories’ technical research, testing, and findings related to the feasibility of weaponizing commercially available products containing ammonium nitrate.  DHS intends to use this notice to solicit comments on the report and its application to the proposed Ammonium Nitrate Security Program rulemaking.”

Inactive Rulemakings


The table below shows the Inactive Active Agenda items that would be covered here in this blog. No new items of interest on this blog have been added to the Inactive Agenda. The only thing removed is the previously discussed Ammonium Nitrate Security Program rulemaking.

OS
Chemical Facility Anti-Terrorism Standards (CFATS)
OS
Updates to Protected Critical Infrastructure Information (PCII) Program
USCG
Amendments to Chemical Testing Requirements
USCG
Revision to Transportation Worker Identification Credential (TWIC) Requirements for Mariners
TSA
Surface Transportation Vulnerability Assessments and Security Plans

Commentary



The Unified Agenda is NOT a promise that the Administration is going to complete the next stage in the rulemaking process as predicted. That almost never happens (well, every once in a while). This is a regulatory requirement that really means very little. New rulemakings can spring up out of nowhere (as far as the Unified Agenda is concerned) and rulemakings can sit on the UA for decades without action. Having said that, once in a blue moon, the schedule posted in the Unified Agenda actually coincides with reality. We just have to wait and see when that happens next; maybe it will happen with the Ammonium Nitrate Security Program rulemaking.

OMB Approves New CEII NPRM


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the Department of Energy on their Critical Electric Infrastructure Information (CEII) program. The NPRM was submitted to OMB in July.

When this NPRM was submitted the rulemaking had not been listed in the latest (Spring 2018) Unified Agenda. Yesterday OIRA published the Fall 2018 Unified Agenda (more on this in another post) and this rulemaking was included; not much information in the listing, unfortunately. The abstract in the listing simply notes:

“The Department of Energy (DOE or Department) is publishing a proposed rule for public comment to implement DOE’s critical electric infrastructure information (CEII) designation authority under section 215A of the Federal Power Act.  The proposed administrative procedures are intended to ensure that stakeholders and the public understand how the Department would designate, protect, and share CEII under the Federal Power Act”

I expect that the NPRM will be published in the Federal Register in the next week or two; even when it initiates regulatory action, the Trump Administration is not quick about these things.


Advisory for LCDS Products


Yesterday the DHS NCCIC-ICS published a control system advisory for products from Leão Consultoria e Desenvolvimento de Sistemas Ltda (LCDS). The advisory describes six vulnerabilities in the LAquis SCADA software. The vulnerabilities were reported by Mat Powell, rgod of 9SG Security Team, Esteban Ruiz (mr_me) of Source Incite, b0nd @garage4hackers, and Ashraf Alharbi (Ha5ha5hin) via the Zero Day Initiative. LCDS has a new version that mitigates the vulnerability. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Untrusted pointer dereference - CVE-2018-17893;
• Out-of-bounds read - CVE-2018-17895;
• Integer overflow to buffer overflow - CVE-2018-17897;
• Path traversal - CVE-2018-17899;
• Out-of-bounds write - CVE-2018-17901 and
Stack-based buffer overflow - CVE-2018-17911

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code, crash the system, or write controlled content to the target system.

Tuesday, October 16, 2018

HR 7045 Introduced – Avionics Cybersecurity


Earlier this month Rep. Meng (D,NY) introduced HR 7045, the Aircraft Avionics Systems Cybersecurity Act. The bill would require the FAA to revise airworthiness certification regulations to “address cybersecurity for avionics systems, including software components” {§2(a)(1)}.

Cybersecurity Requirements


Section 2(a) of the bill would require the FAA to revise airworthiness certification regulations “to require that aircraft avionics systems used for flight guidance or aircraft control be secured against unauthorized access via passenger inflight entertainment systems through such means as the Administrator determines appropriate to protect the avionics systems from unauthorized external and internal access” {§2(a)(2)}.

Section 2(b) of the bill would require the FAA in revising the regulations to take into account the recommendations of the Aircraft Systems Information Security Protection Working Group required by §2111(a)(2)(A)(iii)(I) of the FAA Extension Safety and Security Act of 2016 (PL 114-190, 130 STAT. 625). Those recommendations were published in August 2016.

Moving Forward


Meng is not a member of the House Transportation and Infrastructure Committee to which the bill was assigned for consideration, so it is unlikely that she has the influence necessary to have the bill considered in Committee. This is especially true so late in the session.

It is not clear what sort of support would be available for this bill. While it would require the FAA to establish new regulations (which would draw at least some sort of opposition from industry) the requirements for those regulations are extremely vague and broadly drawn. This bill could receive some bipartisan support because it would allow Congress to look like it was taking action without making any controversial decisions.

Saturday, October 13, 2018

Public ICS Disclosures – Week of 10-06-18


This week there was a vendor vulnerability disclosure from Siemens. There were also four exploits published for products from Delta Industrial, WAGO, and Phoenix Contact (2). I am also going to take a quick look at some additional information on an NCCIC-ICS advisory for the Hangzhou XMeye P2P Cloud Server published this week.

Siemens Advisory


Siemens published an advisory on Foreshadow and L1 Terminal Fault (L1TF) in their industrial product line. These are another pair of speculative execution attack vulnerabilities based on processors used in the affected devices. More details on the generic vulnerabilities can be found here. Siemens has some bios updates available to mitigate the vulnerabilities (three separate CVE’s involved) and has provided workarounds for other products.

This advisory was published in the same batch that was covered extensively by NCCIC-ICS on Tuesday. I have no idea why this was not included unless NCCIC-ICS is lumping these new vulnerabilities in with the Spectre and Meltdown problem. Even if that is the case, this would then have deserved an update to their alert on those issues.

Delta Industrial Exploit


A Metasploit module was published for a previously identified stack-based buffer overflow vulnerability in the Delta Industrial COMMGR software.

WAGO Exploit


SecuNinja published an exploit for a cross-site scripting vulnerability in the WAGO 750-881 ethernet controller. There is no CVE number provided so it is possible that this is a 0-day vulnerability being exploited.

Phoenix Contact Exploit


Photubias published two exploits for previously identified vulnerabilities in the Phoenix Contact ILC PLC vis their WebVisit HMI page.

The three reported vulnerabilities covered in these exploits are:

• Cleartext storage of sensitive information - CVE-2016-8366;
• Authentication bypass issues - CVE-2016-8371; and
• Access to critical private variable via public method - CVE-2016-8380.

Hangzhou Advisory


Earlier this week NCCIC-ICS published their advisory for three vulnerabilities in the Hangzhou XMeye P2P Cloud Server. As is typical for these advisories NCCIC-ICS provided summary data on the issue. Since Hangzhou effectively did not respond to the coordination efforts of NCCIC-ICS there was no vendor information provided in the advisory. While NCCIC-ICS did acknowledge the vulnerability reporting effort of SEC Consult, they did not (as is their apparent policy) provide any link to the reporting agency’s information on the vulnerabilities.

Generally speaking this policy of not linking to supporting documentation from researchers is a mistake and, in this instance, it does a gross disservice to the affected community by severely understating the potential problems associated with the affected devices. In particular, it fails to explain that the vulnerabilities affect a large number of vendors that rebrand and sell the affected Hangzhou DVR products.

SEC Consult published an advisory on the vulnerabilities as well as a lengthy blog post. Brian Krebs also did a lengthy blog post on the topic.

Friday, October 12, 2018

3 Advisories and 4 Updates


Yesterday the DHS NCCIC-ICS published three control system security advisories for products from Delta Industrial Automation and NUUO (2). They also updated a previously published control system security advisory for products from Yokogawa medical device security advisories for products from Medtronic, BD and Phillips.

Delta Advisory


This advisory describes two vulnerabilities in the Delta Industrial Automation TPEditor. The vulnerabilities were reported by Ariele Caltabiano (kimiya) of 9SG Security Team and Mat Powel. Delta has a new version that mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-17929; and
Out-of-bounds write - CVE-2018-17927

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to crash the accessed device, resulting in a buffer overflow condition that may allow remote code execution.

CMS Advisory


This advisory describes four vulnerabilities in the NUUO CMS software management platform. The vulnerabilities were reported by Pedro Ribeiro. NUUO has a firmware update that mitigates the vulnerabilities. There is no indication that Ribeiro has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Use of insufficiently random values - CVE-2018-17888;
• Use of obsolete function - CVE-2018-17890;
• Incorrect permission assignment for critical resource - CVE-2018-17892; and
• Use of hard-coded credentials - CVE-2018-17894

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to result in arbitrary remote code execution.

NVRmini2 Advisory


This advisory describes two vulnerabilities in the NUUO NVRmini2, NVRsolo network video recorders. The vulnerabilities were reported by Jacob Baines of Tenable. NUUO has a firmware update that mitigates the vulnerabilities. There is no indication that Baines has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-1149; and
• Leftover debug code - CVE-2018-1150

NCCIC-ICS reports that a relatively low-skilled attacker using publicly available exploit code could remotely exploit the vulnerabilities to achieve remote code execution and user account modification.

Yokogawa Update


This update provides additional information on an advisory that was originally reported on May 31st, 2018. The new information includes:

• Addition of four new vulnerabilities;
• Revision of exploit consequences;
• Addition of new products affected; and
• Addition of mitigation information for newly identified products.

NOTE: All of this new information was reported in a separate Yokogawa advisory that I discussed here last month. That new advisory was not referenced in this update.

Medtronic Update


This update provides additional information on an advisory that was originally published on February 27th, 2018 and updated on June 27th, 2018. The new information includes:

• Addition of a new affected product;
• Addition of statement on possible remote access exploitation;
• Addition of a third vulnerability;
• Addition of report of new mitigation measure implemented by Medtronic

An FDA notice was published for the revised Medtronic advisory.

BD Update


This update provides additional information on an advisory that was originally published on May 22nd, 2018. The new information includes a report of implementation of the promised mitigation measures.

Phillips Update


This update provides additional information on an advisory that was originally published on August 21st, 2018 and updated on August 30th, 2018. The new information includes the announcement of future mitigation measures to be undertaken by Phillips.

Thursday, October 11, 2018

HR 6992 Introduced – CFATS Reauthorization


Last month Rep. Katko (R,NY) introduced HR 6992, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2018. This is a significant re-write of the Senate bill of the same name (S 3405).

Major Changes from S 3405


There were three major changes made in crafting this new bill. Two sections found in S 3405 were deleted and one new section was added.

The removed sections were:

§3 – Risk-based performance standards (removed cybersecurity RBPS); and
§11 – Small covered chemical facilities (also removed cybersecurity requirements)

The added section (§9 in new bill) deals with products and mixtures containing DHS chemicals of interest. It would require DHS to set up process for facilities to request specific non-hazardous mixtures be exempt from COI reporting requirements.

There were some changes to the CFATS recognition program that I will address in a future post. Similarly, changes were made in the following sections:

§2 Definitions;
§5 Frequency of audits and inspections;
§7 Security risk assessment approach and corresponding tiering methodology;
§8 Security risk assessment approach and corresponding tiering methodology;
§13 Assessment, report, briefing, and updated retrospective estimate on costs;

Moving Forward


Katko and one of his six cosponsors {Rep. Fitzpatrick (R,PA)} are members of the House Homeland Security Committee; one of the committees to which this bill was assigned for consideration. The CFATS reauthorization is a ‘must pass’ bill (unless a short term extension is added to the DHS minibus) so this bill will likely be considered in Committee after the election.

It will be interesting to see how many Democrats on the Committee support this bill that has no language addressing any of the long-standing chemical facility concerns of that party. It is odd that neither Rep. Thompson (D,MS) or Rep. Jackson-Lee (D,TX) are signed on as cosponsors of this bill. With the current Republican majority in the House (at least for the remainder of this session) their support is not needed, but they are important CFATS voices on the Committee. Even more unusual is the lack of support from Rep. Ratcliffe (R,TX) who is the Chair of the Cybersecurity and Infrastructure Protection Subcommittee; the subcommittee which oversees the CFATS program.

Commentary


I am very happy to see the changes made that allow cybersecurity to remain part of the CFATS program. I wish that there was additional language that addressed the problems that were identified in the Senate CFATS hearing earlier this year, but at this point I will be somewhat satisfied if the status quo remains the status.

EPA Earthquake Resilience Tools


Having grown up in California and lived through the Sylmar quake in ’71 I have a healthy respect for this particular physical hazard. Thus, I appreciate Bridget O’Grady’s blog post from earlier this week pointing at an EPA earthquake resiliency resource for water treatment facilities.

It is interesting to note the EPA’s explanation of why water treatment and waste water treatment facilities are vulnerable to earthquake damage:

“Water and wastewater utilities are particularly vulnerable to earthquakes because of the extensive network of above and below ground pipelines, pumps, tanks, administrative and laboratory buildings, reservoirs, chemical storage buildings and treatment facilities.”

The same can certainly be said for chemical manufacturing facilities (okay, all facilities, but this is a chemical security and safety blog), so much of the information on the three tools will be useful for chemical manufacturers as well.

Wednesday, October 10, 2018

7 Advisories and 7 Updates Published


Yesterday the DHS NCCIC-ICS published seven control system security advisories for products from Fuji Electric, Hangzhou Xiongmai Technology Co, Siemens (4) and GE. They also updated seven previously issued advisories for products from Siemens.

Fuji Advisory


This advisory describes an uncontrolled search path element advisory in the Fuji Electric Energy Savings Estimator. The vulnerability was reported by Karn Ganeshen. Fuji has released an update that mitigates the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow an attacker to load a malicious DLL and execute code on the affected system with the same privileges as the application that loaded the malicious DLL.

Hangzhou Advisory


This advisory describes three vulnerabilities in the Hangzhou XMeye P2P Cloud Server. The vulnerabilities were reported by Stefan Viehböck of SEC Consult Vulnerability Lab. Hangzhou has not provided mitigations for these vulnerabilities.

The three reported vulnerabilities are:

• Predictable from observable state - CVE-2018-17917;
• Hidden functionality - CVE-2018-17919; and
Missing encryption of sensitive data - CVE-2018-17915

NCCIC-ICS reports that a relatively low-skilled attacker with remote access could use a publicly available exploit to exploit these vulnerabilities to allow unauthorized access to video feeds with the potential to modify settings, replace firmware, and/or execute code.

SIMATIC S7-1500 Advisory


This advisory describes an improper input validation vulnerability in the Siemens SIMATIC S7-1500, SIMATIC S7-1500 Software Controller and SIMATIC ET 200SP Open Controller. The vulnerability was reported by Marcin Dudek, Jacek Gajewski, Kinga Staszkiewicz, Jakub Suchorab, and Joanna Walkiewicz from National Centre for Nuclear Research Poland. Siemens has updates to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition on the network stack.

SIMATIC S7-1200 Advisory


This advisory describes a cross-site request forgery vulnerability in the Siemens SIMATIC S7-1200 CPU Family Version 4. The vulnerability was reported by Lisa Fournet and Marl Joos from P3 communications GmbH. Siemens has a firmware update that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow a CSRF attack if an unsuspecting user is tricked into accessing a malicious link.

ROX II Advisory


This advisory describes two improper privilege management vulnerabilities in the Siemens ROX II. The vulnerabilities were reported by Gerard Harney from NCC Group (reported in Siemens advisory not NCCIC-ICS). Siemens has a new version that mitigates the vulnerabilities. There is no indication that Harney has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow valid users to escalate their privileges and execute arbitrary commands.

SCALANCE Advisory


This advisory describes a cryptographic issues vulnerability in the Siemens SCALANCE W1750D. The vulnerability is fully described on the Return of Bleichenbacher's Oracle Threat (ROBOT) web site. Siemens is self-reporting the vulnerability. Siemens has a firmware update that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability using publicly available exploits to allow an attacker to decrypt TLS traffic.

NOTE: I suspect that other ICS devices using TLS services could face similar TLS ROBOT problems. Too bad NCCIC-ICS has not done an alert on this issue. Then again, does NCCIC-ICS do alerts?

GE Advisory


This advisory describes an unsafe ActiveX control marked safe for scripting vulnerability in the GE Gigasoft component of iFix. The vulnerability was reported by LiMingzheng of 360 aegis security team. Recent versions of iFIX mitigate the vulnerability. There is no indication that LiMingzheg has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a buffer overflow condition.

Industrial Products Update


This update provides additional information on an advisory that was that originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th, November 28th, February 27th, 2018, May 3rd, 2018 May 15th, 2018, , and most recently on September 11th, 2018. The new information includes revised affected versions data and mitigation measures for SIMATIC S7-1200 CPU.

SIMATIC Update


This update provides additional information on an advisory that was originally published on March 20th, 2018. The new information includes revised affected versions data and mitigation measures for SINUMERIK 828D.

SIMATIC PCS7 Update


This update provides additional information on an advisory that was This update provides new information on an advisory that was originally published on November 2nd, 2018 and updated on June 12th, 2018. The new information includes revised affected versions data and mitigation measures for:

• OpenPCS 7 V8.1; and
• SIMATIC WinCC Runtime Professional V13

SIMATIC WinCC Update


This update provides additional information on an advisory that was originally published on April 19th, 2018. The new information includes revised affected versions data and mitigation measures for WinCC OA Operatopr App.

SINAMICS Update


This update provides additional information on an advisory that was originally published on May 8th, 2018. The new information includes revised affected versions data and mitigation measures for SINAMICS GM150 V4.7 w. PROFINET.

SIMATIC Step7 Update


This update provides additional information on an advisory that was originally published on August 14th, 2018. The new information includes revised affected versions data and mitigation measures for:

• SIMATIC STEP 7 (TIA Portal); and
• WinCC (TIA Portal) V13

OpenSSL Update


This update provides additional information on an advisory that was originally published on August 14th, 2018 and updated on September 11th, 2018. The new information includes revised affected versions data and mitigation measures for:

• SIMATIC S7-1200 CPU;
• SIMATIC STEP 7 (TIA Portal) V13; and
• SIMATIC WinCC (TIA Portal) V13

 
/* Use this with templates/template-twocol.html */