Thursday, December 31, 2020

Top 10 Blog Posts for 2020

Everyone else is doing it, so here goes, the top 10 blog posts on Chemical Facility Security News for 2020 as reported by Google Blogger.com. Interestingly, none of these stories is of any major significance. That gives one pause.

House Rule for HR 2055  - 12-16-11,

Significant Changes in Chlorine Dispersion Models – 8-1-15,

Conference Report for HR 6395 – FY 2021 NDAA – 12-7-20,

Trump to Eliminate CFATS? – 2-9-20

House Agrees to HR 6395 Conference Report – FY 2021 NDAA – 12-9-20,

Greenpeace Inspections Continue – 6-24-10

Public ICS Disclosures – Week of 1-25-20 – 2-1-20

Finally, a Real NTAS Bulletin – 1-4-20

Did the Senate Kill CFATS Because of COVID-19? 3-27-20

CISA Publishes 2020 Chemical Security Webinars Agenda 11-14-20

Interesting that the top 2 posts (and one other) are from years much earlier than 2020. I have no explanation for it, that is just what Google reports.

The one that bothers me a little is number 9. It is one of those times where I made a mistake in my reporting because of not digging quite deep enough. Fortunately, a reader pointed out my error and I was able to correct the mistake.

Monday, December 28, 2020

House Votes to Override Veto of HR 6395 – FY 2021 NDAA

This evening the House took up the President’s veto of HR 6395, the FY 2021 National Defense Authorization Act. The House voted to override the veto by a vote of 322 to 87. The House voted to accept the Conference Report on the bill early in the month by a vote of 355 to 78. As expected, there were some Republican defections; 40 Republicans voted ‘Nay’ on the Conference report, but 67 voted not to override the veto. These were nearly offset by 17 Democrats that changed their votes from ‘Nay’ to ‘Yeah’.

The Senate will start the process of considering the President’s veto tomorrow, but a final vote could take place as late as the last day of the 116th Congress next week. 

Saturday, December 26, 2020

Public ICS Disclosures – Week of 12-19-20

This week we have four vendor disclosures from BD, Moxa, and Dell (2). There is an exploit report for a product from Pulse Secure.

BD Advisory

BD published an advisory discussing the SUNBURST vulnerability. BD reports that none of their products deployed at customer sites contain SolarWinds Orion products.

Moxa Advisory

Moxa published an advisory discussing the Amnesia:33 vulnerabilities. Moxa reports that none of their products are affected.

Dell Advisories

Dell published an advisory describing two insecure default configuration vulnerabilities in their Wyse Thin Client devices. The vulnerabilities were reported by CyberMDX. Dell has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NOTE: Thanks to @ICS_SCADA (Marc Ayala) for pointing out that these are used in ICS environments.

 

Dell published an advisory describing three vulnerabilities in their Wyse Management Suite. The vulnerabilities were reported by Khalid Latifi. Dell has an update that mitigates the vulnerabilities. There is no indication that Latifi has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Cross-site scripting (2) - CVE-2020-29496 and CVE-2020-29497, and

• Open re-direct - CVE-2020-29498

Pulse Secure Exploit

h00die published a Metasploit module for a remote code execution vulnerability in the Pulse Secure VPN. There is no CVE included in the published notice so this may be a 0-day vulnerability.

Thursday, December 24, 2020

OMB Approves 2 FAA UAS Final Rules

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced [see links below] that it had approved two final rules for the DOT’s Federal Aviation Administration concerning unmanned aircraft systems. Both rulemakings were sent to OIRA for review in October. The two rules were:

Remote Identification of Unmanned Aircraft Systems, and

Operations of Small Unmanned Aircraft Over People

Remote Identification Rule

According to the abstract in the Fall 2020 Unified Agenda:

“This action would require the remote identification of unmanned aircraft systems. The remote identification of unmanned aircraft systems in the airspace of the United States would address safety, national security, and law enforcement concerns regarding the further integration of these aircraft into the airspace of the United States while also enabling greater operational capabilities.”

The notice of proposed rulemaking (NPRM) for this rule was published in December of last year.

Operations Over People Rule

According to the abstract in the Fall 2020 Unified Agenda:

“This rulemaking would address the performance-based standards and means-of-compliance for operation of small unmanned aircraft systems (UAS) over people not directly participating in the operation or not under a covered structure or inside a stationary vehicle that can provide reasonable protection from a falling small unmanned aircraft. This rule would provide relief from certain operational restrictions implemented in the Operation and Certification of Small Unmanned Aircraft Systems final rule (RIN 2120-AJ60).”

The NPRM for this rule was published in February of 2019.

Wednesday, December 23, 2020

PHMSA Sends Pipeline Safety Deregulation Final Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Review (OIRA) announced that it had recevied for review a final rule addressing “Gas Pipeline Regulatory Reform” from the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA). The notice of proposed rulemaking for this action was published in June of 2020.

According to the abstract in the Fall 2020 Unified Agenda for this rulemaking:

“This rulemaking would amend the Pipeline Safety Regulations to adopt a number of actions that ease regulatory burdens on the construction and operation of gas transmission, gas distribution and gas gathering pipeline systems. These amendments include regulatory relief actions identified by internal agency review, existing petitions for rulemaking, and public comments on the Department of Transportation Regulatory Review and Transportation Infrastructure notices.”

Tuesday, December 22, 2020

DOD Publishes NISPOM Final Rule

Yesterday the Department of Defense published a final rule in the Federal Register (85 FR 83300-83364) that codifies the National Industrial Security Program Operating Manual (NISPOM) as 32 CFR Part 117. The NISPOM establishes requirements for the protection of classified information disclosed to or developed by contractors, licensees, grantees, or certificate holders to prevent unauthorized disclosure. This final rule becomes effective on February 24th, 2021.

Coverage

According to the new §117.2 this rule applies to: “All industrial, educational, commercial, or other non-USG entities granted access to classified information by the USG executive branch departments and agencies or by foreign governments” {§117.2(3)}.

Section 117.2(b)(1) goes on to clarify that this rule does not:

“Limit in any manner the authority of USG executive branch departments and agencies to grant access to classified information [emphasis added] under the cognizance of their department or agency to any individual designated by them. The granting of such access is outside the scope of the NISP and is accomplished pursuant to E.O. 12968, E.O. 13526, E.O. 13691, the AEA, and applicable disclosure policies.”

Section 177.22 specifically provides DHS with the “authority to determine the eligibility for personnel security clearances and to administer the sharing of relevant classified NSI with certain private sectors or non-federal partners for the purpose of furthering cybersecurity information sharing [emphasis added] among critical infrastructure partners pursuant to E.O. 13691” {§177.22(b)(1)}. It then goes on to clarify that participating entities “will cooperate with DHS security officials to ensure the entity is in compliance with requirements in this rule” {§177.22(b)(2)}.

Security Requirements

Entities granted access to, or generating, classified information are responsible for complying with all of the requirements of this rule. Major areas of interest will include:

117.3Definitions,

117.4Policy,

117.6Responsibilities,

117.7Procedures,

117.8Reporting requirements,

117.10Determination of eligibility for access to classified information for contractor employees,

117.11Foreign Ownership, Control, or Influence (FOCI),

117.15Safeguarding classified information,

117.18Information system security,

117.21COMSEC, and

117.22DHS classified critical infrastructure protection program (CCIPP).

The reporting requirements of §178.8 require special note. As required in §117.8(1) contractors and their cleared employees are required to report:

• Certain events that may have an effect on the status of the entity's or an employee's eligibility for access to classified information,

• Events that indicate an insider threat to classified information or to employees with access to classified information,

• Events that affect proper safeguarding of classified information; and

• Events that indicate classified information has been, or is suspected to be, lost or compromised.

Commentary

I have long maintained that the governmental classification of cybersecurity threat information is a major impediment to information sharing because of the cost involved in being able to properly receive, store, and disseminate classified information. With the codification of the NISPOM, it should no be clear exactly why I have raised these objections over the years. DHS is going to have to make special efforts to ensure that non-classified information on cyber threats is made readily available. Fortunately, the public reporting on the recent SUNBURST vulnerabilities would seem to indicate that CISA has taken that responsibility to heart.

Monday, December 21, 2020

ISCD Updates 5 FAQ Responses – 12-21-20

Today the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to five frequently asked questions (FAQs) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web page. The same substantive change was made in each case.

The following FAQ responses were revised:

FAQ #1275 What needs to be done with the facility ID in the Chemical Security Assessment Tool (CSAT) when a covered chemical facility is bought or sold?

FAQ #1557 What should a facility do if it believes the risk-based tier determination that the Cybersecurity and Infrastructure Security Agency (CISA) has assigned it no longer reflects the actual security risk posed to the facility?

FAQ #1620 How does an individual report a possible security concern involving the Chemical Facility Anti-Terrorism Standards (CFATS) regulation at one’s facility or another facility?

FAQ #1666 Does a covered chemical facility have an obligation to notify the Cybersecurity and Infrastructure Security Agency (CISA) if the facility is closing?

FAQ #1756 What action is required if a facility needs to change owner and/or operator names when it is not related to a transfer of ownership?

NOTE: The links provided for the FAQs in this post were copied from the CFATS Knowledge Center but may not work when followed from your machine. This is an artifact of that web site. If the links do not take you to the referenced FAQ you will have to use the ‘Advanced Search’ function on the page to link to the FAQ or download the ‘All FAQs’ document at the bottom of the ‘Advanced Search’ page.

The same change was made in each of the five responses, a complete change in the snail mail address for CFATS notifications. The new address is:

Chemical Security, Associate Director

CISA – SCS STOP 0390

Cybersecurity and Infrastructure Security Agency

1401 South Clark St.

Arlington, VA 20598-0390

Consolidated Spending Bill Passed in House - HR 133

As I start writing this post, the House has begun their debate of the Consolidated Appropriations Act, 2021. The House is using HR 133, the United States-Mexico Economic Partnership Act, as the vehicle for the spending bill. The bill was passed in the House and then amended in the Senate; technically the House is considering the Senate amendment to this bill, so the House (and later the Senate) can avoid a bunch of the required activities associated with new legislation. The House will vote on the bill before I finish writing this blog post.

The provisions of this bill that I would normally review are found in the following Divisions of the bill:

• DIVISION A – Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations Act, 2021 (pg 9);

• DIVISION B – Commerce, Justice, Science, and Related Agencies Appropriations Act, 2021 (pg 132);

• DIVISION C – Department of Defense Appropriations Act, 2021 (pg 258);

• DIVISION D – Energy and Water Development and Related Agencies Appropriations Act, 2021 (pg 425); and

• DIVISION F – Department of Homeland Security Appropriations Act, 2021 (pg 656).

NOTE: All page numbers in this post are .PDF page numbers. This committee print of the bill has all sorts of copy/paste page numbers interspersed in the publication so those printed page numbers are almost worthless.

I found no significant mentions of cybersecurity in any of the divisions above beyond the standard spending provisions mentioned in the relative department spending bills.

In addition to two Divisions related to COVID-19 relief there are 15 other divisions that have been added to this bill. They include:

• DIVISION R - Protecting our Infrastructure f Pipelines and Enhancing Safety (PIPES) Act of 2020 (pg 2634),

• DIVISION U - Homeland Security and Governmental Affairs Provisions (pg 2844),

• DIVISION W - Intelligence Authorization Act for Fiscal Year 2021 (pg 3043),

• DIVISION Z – Energy Act of 2020 (pg 3194),

Oh, and by the way, the language that the Senate passed for HR 133 was also included in this bill.

Senate Homeland Security Provisions

DIVISION R of this bill includes a number of provisions that originated in the Senate Homeland Security and Governmental Affairs Committee. These provisions include TITLE VII—DHS Countering Unmanned Aircraft Systems Coordinator Act (essentially S 1867).

Intelligence Authorization Act

The version of the Intel Authorization language in this bill appears to be compromise language between the version passed in the Senate in S 4049 and the version reported in the House in HR 7856. Division W includes the following cybersecurity related sections:

§601. Report on attempts by foreign adversaries to build telecommunications and cybersecurity equipment and services for, or to provide such equipment and services to, certain allies of the United States.

§602. Report on threats posed by use by foreign governments and entities of commercially available cyber intrusion and surveillance technology.

§603. Reports on recommendations of the Cyberspace Solarium Commission.

Joint Explanatory Statement - DHS

The House Rules Committee also published Joint Explanatory Statements for each of the divisions that would equate to stand alone spending bills. Votes are still ongoing in the House, so I will take some time to look at the JES for Division F, DHS.

The following adjustments for cybersecurity spending were made to the spending requests from the President:

• Reduced by $2,596,000 for the proposed Joint Cyber Coordination Group (pg 2),

• Increased by $4,250,000 to continue TSA field assessments to identify pipeline cybersecurity gaps (pg 35),

• Increased by $16,000,000 for Coast Guard cyber readiness (pg 39),

• Increased by $1,600,000 for Secret Service cyber fraud task force modernization (pg 43),

• Reduced by $2,500,000 the proposed increases to the CISA CyberSentry program (pg 48),

• Reduced by $6,500,000 the proposed increases for CISA cybersecurity advisors (pg 48),

• Increased by $20,607,000 the spending for the CISA Cyber Defense Education and Training (CDET) program (pg 49),

• Increased by $10,000,000 the spending for CISA to enhance cybersecurity education and training and programs to address the national shortfall of cybersecurity professionals (pg 49),

• Increased by $4,300,000 the spending for CISA  Cybersecurity Education and Training Assistance Program (CETAP) (pg 49),

• Increased by $3,000,000 to expand CISA's threat hunting capabilities (pg 51),

• Increased by $10,568,000 to establish the Joint Cyber Planning Office (JCPO (pg 51),

• Increased by $4,000,000 for the SLTT Cyber Information Sharing Program (pg 53),

House Vote on Spending Bill

The House divided the vote on the amended version of HR 133 into two separate votes. The first vote was on Divisions B, C, E, and F. The House subsequently voted on the remainder of the bill. Both votes passed, but some glitch on the Clerk of the House web site is not allowing the details of those votes to be seen yet.

As a separate matter when the House approved H. Res 1271, the rule for the consideration of HR 133, earlier in the evening it automatically approved an amendment to the Senate amendment to HR 1520, the Purple Book Continuity Act of 2020. That amendment extended the most recent Continuing Resolution spending authority through midnight December 28th, 2020. This would provide the Senate with the option of extending the spending bill deadline if it cannot pass HR 133 this evening.

Sunday, December 20, 2020

House and Senate Pass Another 1-day CR – HJ Res 110

This evening the House took up HJ Res 110, another one-day continuing resolution to continue funding the government through midnight tomorrow night. According to news reports (no official Senate records are yet available for today) the Senate subsequently took up the bill under their unanimous consent process and forwarded it to the President. As of this writing, there is no word on the President’s action on the CR.

The House and Senate leadership have apparently worked out a deal on both the final FY 2021 spending bill and a COVID-19 relief bill. The later will apparently be introduced and passed in the House tomorrow along with a 7-day CR to allow for a spending bill to be printed and then subsequently considered in the House and Senate. There is not yet a version of the legislation available for public view. We will probably see a Committee Print available tomorrow on the House Rules Committee web site.

Saturday, December 19, 2020

FRA Publishes New PTC Reporting NPRM

Friday the DOT’s Federal Railroad Administration (FRA) published a notice of proposed rulemaking (NPRM) in the Federal Register (85 FR 82400-82425) outlining changes to the regulations concerning positive train control systems (PTC) reporting processes. The proposed changes include:

Modifying the process under 49 CFR 236.1021 by which a host railroad must submit a request for amendment (RFA) to FRA before making certain changes to its PTC Safety Plan (PTCSP) and FRA-certified PTC system,

Expanding an existing reporting requirement by increasing the frequency from annual to biannual,

Broadening the reporting requirement to encompass positive performance-related information, not just failure-related information, and

Requiring host railroads to utilize a new, standardized Biannual Report of PTC System Performance (Form FRA F 6180.152).

Public Comments

The FRA is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FRA-2019-0075). Comments should be submitted by February 16th, 2021.

Commentary

The FRA is to be commended for recognizing that the completion of the initial implementation of the PTC program (at long last) should mark a change in the way that it oversees the program. This proposed rulemaking goes a long way to providing the FRA with the necessary information that it needs to perform its regulatory oversight function. Unfortunately, with the recent news about the SUNBURST attacks, it is clear that all federal agencies must step up their activities related to cybersecurity. The PTC safety system is one such area where the FRA must proactively address cybersecurity needs.

A comprehensive attempt to address the cybersecurity challenges related to the PTC system will probably require a stand-alone rulemaking, but this NPRM provides a good place for the FRA to make a cybersecurity down payment on the system.

The FRA already notes the importance of reporting of software defects in 49 CFR 263.1023(b). The scope of that requirement needs to be enlarged to include notifications of 3rd party reports of software and firmware vulnerabilities, but that is outside the scope of this rulemaking. The reporting requirements of that section, however, should be included in the biannual reporting requirements being addressed in this rulemaking. This could be addressed by inserting a new subparagraph (iii):

“(iii) Any reports from hardware or software suppliers or vendors under §263.1023(b) about software failures or reported vulnerabilities.”

The FRA should also specify that changes to PTC software or firmware specifically requires approval under the proposed revised processes. This would allow the FRA to keep control of an important part of the PTC environment. It could be achieved by adding a new subparagraph (5) under §263.1021(h):

“(5) Any change in PTC component software or firmware.”

One other area that should be addressed by the FRA is adding a requirement for reporting unusual operation of the PTC systems. Such incidents can provide indications that they system has been attacked or breached. Ideally, this would include adding the phrase “or demonstrates indicators of compromise” after the word “malfunctions” in 49 USC 20157(j)(2), but that is clearly beyond the scope of rulemaking. Having said that, this could be implemented by revising the proposed definition for ‘malfunction’ at §236.1003(b) by inserting the following language after “PTCSP”:

“, or any indication of unauthorized system access or other indicators of compromise described by system suppliers or vendors.”

These changes would be a first step in increasing the efforts to be taken by the FRA to ensure that cybersecurity of PTC systems is being addressed in a proactive manner.

A copy of this post will be submitted as a comment on this NPRM.

Public ICS Disclosures – Week of 12-12-20

This week we have five vendor disclosures regarding the Amnesia33 vulnerabilities. There were three vendor disclosures for the SUNBURST vulnerability. There were ten other vendor disclosures for products from ABB (3), Bosch (3), WAGO, Phoenix Contact (2), and VMware. There was one vendor update from Mitsubishi. We have seven researcher reports of vulnerabilities in products from Lantronix (2), Secomea, and Eaton (4).

Amensia33 Advisories

Braun published an advisory discussing the Amnesia33 vulnerabilities. They report that none of their ‘connected devices’ is affected.

Drager published an advisory discussing the Amnesia33 vulnerabilities. They report that their medical devices are not affected.

HMS published an advisory discussing the Amnesia33 vulnerabilities. They provide a list of their products that they have confirmed are not affected.

Johnson and Johnson published an advisory discussing the Amnesia33 vulnerabilities. They report that they are investigating the potential impact of the vulnerabilities on their product line.

Spacelabs Healthcare published an advisory discussing the Amnesia 33 vulnerabilities. They report that none of their products are affected by the vulnerabilities.

Sunburst Advisories

Drager published an advisory discussing the SUNBURST vulnerability. They report that their medical devices are not affected.

Boston Scientific published an advisory discussing the SUNBURST vulnerability. They report that their products are not affected.

Philips published an advisory discussing the SUNBURST vulnerability. They report that they are monitoring developments.

ABB Advisories

ABB published an advisory [corrected link, 12-19-20 1941 EST] describing five vulnerabilities in their Central Licensing System. The vulnerabilities were reported by William Knowles at Applied Risk. ABB has new versions that mitigate the vulnerabilities. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Information disclosure - CVE-2020-8481,

• XML external entity injection - CVE-2020-8479,

• Denial of service - CVE-2020-8475,

• Elevation of privilege - CVE-2020-8476, and

• Weak file permissions - CVE-2020-8471

 

ABB published an advisory describing eight vulnerabilities in their Symphony® Plus Historian. The vulnerabilities are self-reported. ABB has an update that mitigates the vulnerabilities.

The eight reported vulnerabilities are:

• SQL injection - CVE-2020-24673,

• Improper authorization - CVE-2020-24674,

• Weak authentication - CVE-2020-24675,

• Insecure Windows services - CVE-2020-24676 -,

• Web application security - CVE-2020-24677,

• Privilege escalation - CVE-2020-24678,

• Denial of Service - CVE-2020-24679, and

• Improper credential storage - CVE-2020-24680

 

ABB published an advisory describing nine vulnerabilities in their Symphony® Plus Operations. The vulnerabilities are self-reported. ABB has an update that mitigates the vulnerabilities.

The nine reported vulnerabilities are:

• SQL injection - CVE-2020-24673,

• Improper authorization - CVE-2020-24674,

• Weak authentication - CVE-2020-24675,

• Insecure Windows services - CVE-2020-24676 -,

• Web application security - CVE-2020-24677,

• Privilege escalation - CVE-2020-24678,

• Denial of Service - CVE-2020-24679,

• Improper credential storage - CVE-2020-24680, and

• Authentication bypass - CVE-2020-24683

Bosch Advisories

Bosch published an advisory describing a null pointer dereference vulnerability in their ctrlX Products. This is a third-party OpenSSL vulnerability. Bosch has an update that mitigates the vulnerability.

 

Bosch published an advisory describing two vulnerabilities in their Rexroth IndraMotion Products. Both vulnerabilities are third-party CODESYS vulnerabilities (CVE links below are to the respective CODESYS advisories). Bosch recommends using their ctrlX CORE product to mitigate these vulnerabilities.

The two reported vulnerabilities are:

• Uncontrolled memory allocation - CVE-2020-7052 [.PDF download link], and

• Memory Corruption - CVE-2019-5105 [.PDF download link]

NOTE: Proof-of-concept code is available for the CODESYS vulnerabilities in the respective reports from Tenable and Talos.

 

Bosch published an advisory describing six vulnerabilities in their Rexroth PRC7000. These are third-party CODESYS vulnerabilities (CVE links below are to the respective CODESYS advisories). Bosch has a new firmware version that mitigates the vulnerabilities.

The six reported vulnerabilities are:

• Memory Corruption - CVE-2019-5105 [.PDF download link] Tenable report,

• Heap-based buffer overflow - CVE-2019-18858 [.PDF download link] Tenable report,

• Unverified ownership - CVE-2019-9010 [.PDF download link] NCCIC-ICS report,

• Uncontrolled memory allocation - CVE-2019-9012 [.PDF download link] NCCIC-ICS report,

• Insufficiently protected credentials - CVE-2019-9013 [.PDF download link] NCCIC-ICS report, and

• Heap-based buffer overflow - CVE-2020-10245 [.PDF download link] Tenable report.

NOTE: The respective Tenable reports include proof-of-concept code for he CODESYS vulnerabilities;

WAGO Advisory

VDE-CERT published an advisory describing an improper neutralization of special elements in an OS command vulnerability in the WAGO I/O-Check Service. The vulnerability was reported by Uri Katz of Claroty. WAGO has a new firmware version that mitigates the vulnerability.

NOTE: The Claroty report includes a Snort rule to detect the vulnerability.

Phoenix Contact Advisories

Phoenix Contact published an advisory [.PDF download link] describing a missing initialization of resource vulnerability in their mGuard products. The vulnerability was reported by SMST Designers & Constructors. Phoenix Contact has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

 

Phoenix Contact published an advisory [.PDF download link] describing four vulnerabilities in their PLCnext Control devices. The vulnerabilities were reported by Patrick Muench, Torsten Loebner, Maurice Rothe, Pascal Keul, Melanie Tholen and Daniel Hackel of SVA Systemvertrieb Alexander GmbH. Phoenix Contact has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• XSS - CVE-2020-12517,

• Exposure of sensitive information - CVE-2020-12518,

• Improper privilege management - CVE-2020-12519, and

• Improper input validation (in the PROFINET stack) - CVE-2020-12521.

NOTE: There is no indication whether the last vulnerability is unique to the Phoenix Contact implementation of PROFINET or if it is a third-party vulnerability.

VMware Advisory

VMware published an advisory describing an improper input validation vulnerability in their  ESXi, Workstation and Fusion products. The vulnerability was reported by Lucas Leong (@_wmliang_) of the Zero Day Initiative and Murray McAllister of Insomnia Security. VMware has patches that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Mitsubishi Update

Mitsubishi published an update of their Factory Automation advisory that was  originally published on July 30th, 2020 and most recently updated on November 5th, 2020. The new information includes providing mitigation information for GT SoftGOT1000.

NOTE: NCCIC-ICS published their advisory for this vulnerability and updated it in November.

Lantronix Reports

Talos published two reports (see CVE’s below for links) for vulnerabilities in the Lantronix XPort EDGE Web Manager. These are coordinated disclosures. The reports do not mention if the vulnerabilities have been corrected.

The two reported vulnerabilities are:

• Cleartext transmission of sensitive information - CVE-2020-13528, and

• CSRF - CVE-2020-13527

Secomea Report

Tenable published a report describing two vulnerabilities in the Secomea GateManager. This is a coordinated disclosure. The Tenable report includes proof-of-concept code. Tenable does not report that Secomea has produced any mitigation measures.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2020-29021, and

• HTTP host header injection - CVE-2020-29022

Tenable notes that these will be third-party vulnerabilities in products from at least B&R Industrial Automation and perhaps other vendors as well.

Eaton Reports

The Zero Day Initiative published four reports (see ZDI numbers for links) from Francis Provencher for vulnerabilities in the Eaton EASYsoft application. This is a coordinated disclosure but ZDI is reporting these as zero-day vulnerabilities.

The four reported vulnerabilities are:

• Out-of-bounds read - ZDI-20-1443, and

• File parsing type confusion (3) - ZDI-20-1444, ZDI-20-1442, and ZDI-20-1441

Friday, December 18, 2020

House Passes HJ Res 107 – Another Short CR

Early this evening the House took up HJ Res 107, the Further Additional Continuing Appropriations Act, 2021. The measure passed by a mainly bipartisan vote of 320 to 60; no Democrats votes against the CR. The bill provides an extension of the current FY 2021 spending through midnight December 20th, 2020. The House then adjourned until noon on Sunday. The Senate adjourned shortly afterward without taking up HJ Res 107.

It looks like the Senate will take up the CR tomorrow. Technically, this means that as of midnight tonight the government will shut down. Since this is a weekend, a shutdown until sometime tomorrow is probably a non-issue.   Senate passed bill by voice vote sending it to the President who signed it this evenging. [12-18-20, 2328 EST] This very short CR means that the House leadership expects to have a deal in place for a FY 2021 spending bill with some sort of COVID-19 support package. A vote will probably happen in the House on Sunday.

1 Advisory Published – 12-18-20

Today the CISA NCCIC-ICS published an unusual Friday control system security advisory for products from Treck.

Treck Advisory

This advisory describes four vulnerabilities in the Treck TCP/IP stack. The vulnerabilities were reported by Intel. Treck has a new version that mitigates the vulnerabilities. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2020-25066,

• Out-of-bounds write - CVE-2020-27337, and

• Out-of-bounds read - CVE-2020-27338 and CVE-2020-27336

NOTE: These vulnerabilities are in a version where the Ripple20 vulnerabilities had already been corrected. I would suspect that just about everyone that was affected by Ripple20 as a third-party vulnerability will be affected by this.

Thursday, December 17, 2020

3 Advisories Published – 12-17-20

Today the CISA NCCIC-ICS published three control system security advisories for products from PTC (2) and Emerson.

LinkMaster Advisory

This advisory describes an incorrect default permissions vulnerability in the PTC Kepware LinkMaster application. The vulnerability was reported by Yuri Kramarz of Cisco Talos. PTC has a new version that mitigates the vulnerability. There is no indication that Kramarz has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow a local attacker to globally overwrite the service configuration to execute arbitrary code with NT SYSTEM privileges.

NOTE: The Talos report include proof-of-concept code.

KEPServerEX Advisory

This advisory describes three vulnerabilities in the PTC Kepware KEPServerEX connectivity platform. The vulnerability was reported by Uri Katz of Claroty. PTC has updates that mitigate the vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-27265,

• Heap-based buffer overflow - CVE-2020-27263, and

• Use after free - CVE-2020-27267

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to lead to a server crashing, a denial-of-service condition, data leakage, or remote code execution.

NOTE 1: NCCIC-ICS reports that these vulnerabilities could serve as a third-party vulnerability in the following products:

Rockwell Automation KEPServer Enterprise,

GE Digital Industrial Gateway Server, and

Software Toolbox TOP Server

NOTE 2: NCCIC-ICS only provided links to the GE advisory.

Emerson Advisory

This advisory describes an improper authentication vulnerability in the Emerson Rosemount X-STREAM gas analysis software. The vulnerability was reported by Maxim Rupp. Emerson has firmware updates that mitigate the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker through a specially crafted URL to download files and obtain sensitive information.

ISCD Publishes New Ammonium Nitrate Fact Sheet

Today the CISA Infrastructures Security Compliance Division (ISCD) published a link to a new ammonium nitrate fact sheet on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The fact sheet explains how the CFATS program addresses the two different forms of ammonium nitrate (AN) found in commerce in the United States. There is no new information or program interpretation provided in this fact sheet.

The CFATS program has two different entries for AN in Appendix A to 6 CFR 27, the list of DHS chemicals of interest (COI). The new fact sheet explains that the first listing in Appendix A is for forms of AN that are listed as DOT Division 1.1 explosives. Those forms of AN are addressed in the CFATS program as either a release-explosives (5,000-lb STQ) or theft-explosives security risk (400-lb STQ). Any commercial grade of AN that is a Division 1.1 explosive is covered under this listing in Appendix A.

The second listing for AN is for all other grades of ammonium nitrate where AN is at least 33% of material. This form of AN is addressed in the CFATS program as a theft-improvised explosive device precursor (IEDP) (2,000-lb STQ) security risk.

Facilities that have an amount of AN on hand in excess of the STQ for the form described above have a duty to complete a Top Screen submission to CISA so that ISCD can determine if the facility is at high-risk of terrorist attack and thus covered under the provisions of the CFATS program.

Tuesday, December 15, 2020

1 Update Published – 12-15-20

Today the CISA NCCIC-ICS updated a control system security advisory for products from WAGO.

WAGO Update

This update provides additional information on an advisory that was originally published on November 3rd, 2020. The new information includes adding the following to the affected product list:

• 750-331/xxx-xxx

• 750-829

• 750-882

• 750-885

Sunday, December 13, 2020

Public ICS Disclosures – Week of 12-5-20, Part II

This week we have nine disclosures for products from Schneider. We also have eight vendor updates for products from Siemens (5) and Schneider (3). Finally, we have two researcher reports about vulnerabilities in products from Schneider.

Schneider Advisories

Schneider published an advisory describing a write-what-where condition vulnerability in their EcoStruxure™ Control Expert. The vulnerability was reported by Jared Rittle of Cisco Talos; the report contains proof-of-concept code. Schneider provides generic workarounds pending development of remediation measures.

 

Schneider published an advisory describing an insufficiently protected credentials vulnerability in their EcoStruxure Geo SCADA Expert. The vulnerability is being self-reported. Schneider has updates available that mitigate the vulnerability.

 

Schneider published an advisory describing two vulnerabilities in their Web Server on Modicon M340 communication modules. The vulnerabilities were reported by DongJian Security Lab and the Russian BDU FSTEC (report here). Schneider has new firmware versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Forced browsing - CVE-2020-7541, and

• Improper check for unusual or exceptional conditions - CVE-2020-7539

 

Schneider published an advisory describing a missing authentication for critical function vulnerability in their Web Server on Modicon M340 communications modules. The vulnerability was reported by DongJian Security Lab. Schneider has new firmware versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

 

Schneider published an advisory describing a path traversal vulnerability on the Web Server on Modicon M340 communications modules. The vulnerability was reported by Zheng Qiang. Schneider has new firmware versions that mitigate the vulnerability. There is no indication that the researcher have been provided an opportunity to verify the efficacy of the fix.

 

Schneider published an advisory describing an improper check for unusual or exceptional conditions vulnerability in their Web Server on Modicon M340 communications modules. The vulnerability is being self-reported.

 

Schneider published an advisory describing an improper check for unusual or exceptional conditions vulnerability in their Modicon M340 CPU’s. The vulnerability was reported by the VAPT Team from C3i IITK, India. Schneider has new firmware versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

 

Schneider published an advisory describing three separate improper check for unusual or exceptional conditions vulnerabilities in their Modicon M580 controllers. The vulnerabilities were reported by Gao Jian of NSFOCUS, Daniel Lubel of OTORIO, Armis Security, Victor Fidalgo Villar of INCIBE-CERT, and Gideon Guo. Schneider has firmware updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

 

Schneider published an advisory describing an improper restriction of operations within the bounds of a memory buffer vulnerability in their M258 Logic Controllers and SoMachine/SoMachine Motion software. The vulnerability was reported by Kai Feng. Schneider has new versions that mitigate the vulnerability. There is no indication that Kai has been provided an opportunity to verify the efficacy of the fix.

Siemens Updates

Siemens published an update for their SegmentSmack advisory that was originally published on April 14th, 2020 and most recently updated on September 8th, 2020. The new information include updating information regarding successor products for SIMATIC RF180C and RF182C.

NOTE: NCCIC-ICS updated their advisory for this vulnerability back in September but has not updated for this Siemens update.

 

Siemens published an update for their GNU/Linux subsystem advisory that was originally published in 2018 and most recently updated on November 10th, 2020. The new information includes adding the following new vulnerabilities:

• CVE-2020-25284,

• CVE-2020-25668,

• CVE-2020-25705,

• CVE-2020-27618, and

• CVE-2020-27777

 

Siemens published an update for their Industrial Products advisory that was originally published on December 10th, 2019 and most recently updated on September 8th, 2020. The new information includes updating d information regarding successor products for SIMATIC RF182C and RFID 181EIP.

NOTE: NCCIC-ICS last updated their advisory for this product back in August.

 

Siemens published an update for their advisory that was originally published on September 9th, 2020 and most recently updated on October 13th, 2020. The new information includes adding patch links for:

• SIMATIC HMI Basic (2nd generation),

• Comfort (including SIPLUS variants), and

• Mobile Panels

NOTE: NCCIC-ICS published their advisory for these vulnerabilities back in September but has not updated it since.

 

Siemens published an update for their ZombieLoad advisory that was originally published on July 9th, 2019 and most recently updated on March 10th, 2020. The new information includes:

• Correcting mitigations for SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP and

• Providing updates for SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP

Schneider Updates

Schneider published an update for their Ripple20 advisory that was originally published on June 23, 2020 and most recently updated on November 10th, 2020. The new information includes adding remediation for:

• SCADAPack 32 RTU,

• XUPH001 OsSense communication module,

• XGCS850C201 OsiSense RFID compact smart antenna,

• ATV340E Altivar Machine Drives,

• ATV630/650/660/680/6A0/6B0 Altivar Process Drives,

• ATV930/950/960/980/9A0/9B0 Altivar Process Drives,

• VW3A3720, VW3A3721 Altivar Process Communication Modules,

• ACE850 Sepam communication interface,

• PowerLogic EGX300 Ethernet Gateway,

• PowerLogic EGX100 Ethernet Gateway, and

• Acti9 Smartlink IP

 

Schneider published an update for their CodeMeter advisory that was originally published on October 13th, 2020. The new information includes reporting that the CodeMeter V7.10a fix qualification is confirmed for EcoStruxure Machine SCADA Expert.

 

Schneider published an update for their Modicon controllers advisory that was originally published on May 14th, 2019 and most recently updated on October 18th, 2020. The new information includes adding a fix for additional attack scenario is available on M340 V3.30 for CVE-2018-7857.

Schneider Reports

Claroty published a report discussing the Modicon M221 PLC vulnerabilities reported Tuesday by Schneider.

Trustwave published a report discussing one of the Modicon M221 PLC vulnerabilities reported Tuesday by Schneider. This report contains proof-of-concept code for the one-way hash vulnerability.

Saturday, December 12, 2020

Public ICS Disclosures – Week of 12-5-20, Part I

This week we have twelve vendor notification from ABB, HMS, and Cisco (10). There are vendor updates available for products from Mitsubishi and Beckhoff.

ABB Advisory

ABB published an advisory describing a VPN gateway vulnerability inn their Arctic wireless gateways. ABB says that this is a set-up issue and provides additional guidance on proper configuration to mitigate this vulnerability.

HMS Advisory

HMS published an advisory discussing the Amensia33 vulnerabilities. The advisory provides a list of HMS products that are currently known to not be affected by the vulnerabilities.

Cisco Advisories

Cisco published ten advisories for vulnerabilities in their IoT Field Network Director. Each advisory reports on a separate vulnerability in the same product/version. The links for the CVE number are to the individual advisories.

• Cross-site scripting - CVE-2020-26081,

• Improper domain access control - CVE-2020-26080,

• Insufficient input validation - CVE-2020-26075,

• Unprotected storage of credentials - CVE-2020-26079,

• File overwrite - CVE-2020-26078,

• Improper access control - CVE-2020-26077,

• Missing authentication for critical function - CVE-2020-3531 and CVE-2020-3392,

• Information disclosure - CVE-2020-26076, and

• Authorization bypass - CVE-2020-26072,

NOTE: These advisories date back to November 18th, but I just ran across them today thanks to their listing on the Russian FSTEC web site. No cause for concern there (SIGH).

Mitsubishi Update

Mitsubishi published an update for their MC Works 64 advisory that was originally published on June 18th, 2020 and most recently updated on September 9th, 2020. The new information includes adding security patches for MC Works64 Version 3.00A - 3.04E.

NOTE: NCCIC-ICS published an advisory for these vulnerabilities back in June but has not yet updated it for either of the updates that Mitsubishi has published.

Beckhoff Update

Beckhoff published an update for their TwinCAT System Tray advisory that was originally published on November 19th, 2020. The new information includes a script for re-installing the software in a manner that mitigates the vulnerability.

Part II

As is fast becoming a ‘tradition’ here on the weekend following the second Tuesday of the month, I will publish Part II of this blog post tomorrow, looking at the advisories and updates from Siemens and Schneider that NCCIC-ICS did not address earlier in the week.

Thursday, December 10, 2020

3 Advisories Published – 12-10-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Host Engineering and Mitsubishi Electric. They also published a medical device security advisory for products from Medtronic.

Host Advisory

This advisory describes an improper input validation vulnerability in the Host ECOM100 Module. The vulnerability was reported by Uri Katz of Claroty. Host has a new version that mitigates the vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to lead to a denial-of-service condition, forcing an operator to manually restart the device.

Mitsubishi Advisory

This advisory describes an improper check or handling of exceptional conditions vulnerability in the Mitsubishi MELSEC iQ-F Series CPU modules. The vulnerability is self-reported. Mitsubishi has newer firmware that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause the device to enter a denial-of-service condition, and a reset of the CPU module is required for recovery.

NOTE: NCIC-ICS did not provide the link to the Mitsubishi advisory.

Medtronic Advisory

This advisory describes three vulnerabilities in the Medtronic MyCareLink Smart Patient Reader. The vulnerabilities were initially reported by Sternum. Medtronic has a firmware update that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper authentication - CVE-2020-25183,

• Heap-based buffer overflow - CVE-2020-25187, and

• Time-of-check time-of-use race condition - CVE-2020-27252

NCCIC-ICS reports that a relatively low-skilled attacker with adjacent (Bluetooth range) access could exploit the vulnerability to result in the attacker being able to modify or fabricate data from the implanted cardiac device being uploaded to the CareLink Network and remotely execute code on the MCL Smart Patient Reader device, which could allow control of a paired cardiac device.

Fall 2020 Unified Agenda Published – DHS

Yesterday the Trump Administration published the Fall 2020 Unified Agenda, laying out the plans for the various Federal agencies for rulemakings for the coming year. Technically, this agenda is non-partisan, but the incoming Biden Administration is sure to make some changes as they take over the reins of the federal government starting in late January. There have been some interesting changes to the DHS portions of the Agenda that I follow here.

Current Agenda

The table below shows the rulemakings from the current agenda that I will be following here from various agencies within DHS.

TSA

Proposed Rule

Vetting of Certain Surface Transportation Employees

1652-AA69

TSA

Final Rule

Protection of Sensitive Security Information

1652-AA08

CISA

Prerule

Removal of Certain Explosive Chemicals From the Chemical Facility Anti-Terrorism Standards (CFATS)

1670-AA03

CISA

Proposed Rule

Ammonium Nitrate Security Program

1670-AA00

Current DHS Agenda Items

The first two items were carried over from the current agenda on the Spring 2020 Unified Agenda with no significant changes. The third item is a completely new agenda item that I will briefly discuss below. Finally, the last item was moved from the long-term agenda to the current agenda and modified. Again, I will discuss that in more detail below.

Long-Term Agenda

The table below shows the rulemakings from the long-term agenda that I will be following here from various agencies within DHS.

OS

Homeland Security Acquisition Regulation: Safeguarding of Controlled Unclassified Sensitive Information (HSAR Case 2015-001)

1601-AA76

OS

Homeland Security Acquisition Regulation: Information Technology Security Awareness Training (HSAR Case 2015-002)

1601-AA78

USCG

Identifying Barriers to Autonomous Vessels

1625-AC54

TSA

Surface Transportation Vulnerability Assessments and Security Plans

1652-AA56

CISA

Chemical Facility Anti-Terrorism Standards (CFATS)

1670-AA01

CISA

Updates to Protected Critical Infrastructure Information (PCII) Program

1670-AA02

Long-Term DHS Agenda

There were only two changes here. The first was the move from the long-term agenda to the current agenda that I mentioned above. The second was the move of the Coast Guard item from the Spring 2020 current agenda here. There were no new rulemakings added.

COI Removal

The new CFATS rulemaking added to the current agenda is one that has been long sought by the explosives industry since they are already regulated for security matters by the Bureau of Alcohol, Tobacco, Firearms and Explosives. According to the abstract:

“The Cybersecurity and Infrastructure Security Agency (CISA) is considering removing all 49 Division 1.1 explosive chemicals of interest from Appendix A of the Chemical Facility Anti-Terrorism Standards regulations. CISA intends to solicit comment through an Advance Notice of Proposed Rulemaking (ANPRM) on the advisability of removing Division 1.1 explosives from Appendix A to the Chemical Facility Anti-Terrorism Standards (CFATS) regulations located at 6 CFR part 27. Currently, both CISA and the Bureau of Alcohol, Tobacco, Firearms and Explosives regulate facilities possessing these chemicals for security concerns.”

It seems odd to me that the Trump Administration did not try to start this rulemaking process earlier since it was, at least initially, so interested in removing duplicative regulations. It will be interesting to see how this rulemaking develops under the Biden Administration. Even if this moves forward it is unlikely to complete the regulatory development process very quickly. This could be still in-process when the program comes up for congressional reauthorization in 2023.

Ammonium Nitrate Security Program

This rulemaking has been around for quite some time now. It was originally mandated by Congress to be in place by 2008. The advanced notice of proposed rulemaking was published in October of 2008 and the subsequent notice of proposed rulemaking (NPRM) was posted in August of 2011. DHS had problems moving forward with the regulation as it could not justify the cost of the program required by Congress. In June of 2019 DHS published a redacted copy of the Sandia Labs report on ammonium nitrate which actually expanded the case for regulating the sale of AN.

It looks like CISA is ready to try again. According to this rulemaking document they intend to withdraw the ‘current’ NPRM and then publish a new one. According to the abstract:

“A Federal regulation governing the sale and transfer of ammonium nitrate is statutorily mandated. Given that: (1) Terrorists can easily acquire significant amounts of ammonium nitrate through many small purchases, and (2) 6 U.S.C. 488 et seq. focuses on only one of many IEDPs available to terrorists, CISA believes that a comprehensive regulatory regime cannot be constructed under 6 U.S.C. 488 et seq. in a manner that produces societal benefits larger than burdens. Therefore, CISA's new proposed rule will seek to minimize burdens while satisfying statutory requirements.”

This should be an interesting exercise given the congressional requirements for registration and regulation of the transfer of ammonium nitrate at the point of sale.

 
/* Use this with templates/template-twocol.html */