Tuesday, March 31, 2020

3 Advisories and 1 Update Published – 3-31-20


Today the CISA NCCIC-ICS published two control system security advisories for products from Mitsubishi Electric and Hirschmann Automation and a medical device security advisory for products from BD. They also updates an advisory for products from Schneider Electric.

Mitsubishi Advisory


This advisory describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELSEC programmable controllers with MELSOFT transmission port (UDP/IP). The vulnerability was reported by Rongkuan Ma, Jie Meng, and Peng Cheng. Mitsubishi provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to render the device unresponsive.

Hirschmann Advisory


This advisory describes a classic buffer-overflow vulnerability in the Hirschmann HiOS, HiSecOS. The vulnerability was reported by Sebastian Krause and Toralf Gimpel of GAI NetConsult. Hirschmann has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an unauthenticated, remote attacker to overflow a buffer and fully compromise the device.

NOTE: The NCCIC-ICS advisory is actually based on a second revision of the Belden advisory that was originally reported originally published on February 14th, 2020 and most recently updated on February 26th, 2020. The most recently added information from Belden is the CVE number and link.

BD Advisory


This advisory describes a protection mechanism failure vulnerability in the BD Pyxis MedStation and Pyxis Anesthesia (PAS) ES System. The vulnerability is self-reported. BD provides generic workarounds to mitigate the vulnerability. The BD advisory states that they are in the process of deploying a security update that strengthens kiosk mode to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with physical access could exploit the vulnerability to allow an attacker to bypass kiosk mode and view and/or modify sensitive data.

Schneider Update


This update provides additional information on an advisory that was originally published on January 16th, 2020. The new information includes an updated CVSS score for CVE-2018-7794.

Saturday, March 28, 2020

ISCD Publishes 60-day CVI ICR

CISA is publishing a 60-day ICR notice in Monday’s (available online today) Federal Register (85 FR 17593-17594) for an extension of the current Chemical-Terrorism Vulnerability Information (CVI) information collection request (ICR). This would cover the information ISCD would collect on-line from personnel requesting to become a CVI authorized user.

ICR Burden


The key to estimating the burden of the ICR is to determine the number of  people that will be attempting to become CVI certified. CISA provides the last three-year data on the applications, but notes: “Due to past fluctuations and uncertainty regarding the number of future respondents, CISA believes that 20,000 continues to be a reasonable estimate.” This results in an extension of the current burden (estimate below) without change.

• Number of respondents – 20,000
• Time per respondent – 30-min
• Annual time burden – 10,000-hours

With an estimated average hourly wage for requestors being $79.75 this brings the annual cost burden to $797,474 per year.

Public Comments


CISA is soliciting public comments on this ICR notice. Comments may be solicited on the Federal eRulemaking Portal (www.Regulations.gov; Docket # CISA-2020-0002). Comments are due by May 29th, 2020.

COVID-19 and Terrorism – 3-28-20


I briefly mentioned yesterday that the threat from domestic terrorists may be increased during the COVID-19 pandemic. Here is a brief reading list of recent articles supporting that view. These are not intelligence reports by any means, but they do offer some insights into the potential problem.


I will share more information along these lines as it becomes available.

Public ICS Disclosures – Week of 03-21-20


This week we have five vendor disclosures for products from Phoenix Contact (2), 3S (2) and Philips along with an update of a previous vendor disclosure from Belden. There is also an exploit publication for products from GE. Finally, an interesting look at control system security and COVID-19 ‘industrial distancing’.

Phoenix Contact Advisories


Phoenix Contact published an advisory [.PDF download link] describing a privilege escalation vulnerability in their Portico Remote desktop control software. The vulnerability was reported by an unnamed researcher. Phoenix Contact has a new version that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.


Phoenix Contact published an advisory [.PDF download link] describing an insecure permissions vulnerability in their PC WORX SRT. The vulnerability was reported by  Sharon Brizinov of
Claroty. Phoenix Contact provides generic workarounds to mitigate the vulnerability.

3S Advisories


3S published an advisory [.PDF download link] describing an out-of-bounds memory buffer access vulnerability in their  CODESYS communication protocol. The vulnerability was reported by Carl Hurd of Cisco Talos and an OEM customer. 3S has a new version that mitigates the vulnerability. There is no indication that Hurd has been provided an opportunity to verify the efficacy of the fix.

NOTE: The Talos report includes proof-of-concept exploit code.


3S published an advisory [.PDF download link] describing a heap-based buffer overflow vulnerability in their Web Service application. The vulnerability was reported by Tenable. 3S has a new version that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

NOTE: The Tenable report includes proof-of-concept exploit code.

Philips Advisory


Philips published an advisory describing two vulnerabilities in their AC 2719 Air Purifier when using the Air Matters Android application. Philips reports that this is a chip-level problem, but reportedly a newer version of the application mitigates the vulnerabilities (?). The vulnerabilities were reported by an unnamed researcher.

The two (3 or 4 depending on where you read in the advisory) reported vulnerabilities are:

• Cleartext transmission of information;
• Insufficient Diffie Helman strength; and
• Decompiling Android app

NOTE: Okay, I will admit that I am confused by this advisory. I cannot find a researcher report of these vulnerabilities. If someone wants to step forward and explain this to me, I would appreciate it.

GE Exploit


Ivan Marmolejo has published an exploit for a password denial of service vulnerability in the GE ProficySCADA for iOS. There is no CVE number associated with the exploit report nor any vendor contact reports and I cannot find a report of a similar vulnerability on the GE security advisory page so this looks like a 0-day exploit.

COVID-19


Otorio.com has an interesting blog post about the increase in remote access to industrial systems due to COVID-19. They introduce a fun new term ‘industrial distancing’. It is a quick read, but worth it.

Friday, March 27, 2020

COVID-19 CFATS Extension


I reported earlier today that the Senate had left town without acting on an extension of the authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program which runs out on April 18th. It turns out that I was mistaken. Thanks to a TWEET® from Douglas A. Leigh III, Director of Legislative Affairs National Association of Chemical Distributors (NACD), I went back and re-searched SA 1578, which became HR 748, Coronavirus Aid, Relief, and Economic Security (CARES) Act.

Sure enough, he was correct; buried well down within Division B, Emergency Appropriations for Coronavirus Health Response and Agency Operations, §16007 (pg S 2136) provides a short-term extension for the CFATS program. That section states:

“Section 5 of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (Public Law 113–254; 6 U.S.C. 621 note) is amended by striking ‘‘the date that is 5 years and 3 months after the effective date of this Act’’ and inserting ‘‘July 23, 2020’’: Provided, That the amount provided by this section is designated by the Congress as being for an emergency requirement pursuant to section 251(b)(2)(A)(i) of the Balanced Budget and Emergency Deficit Control Act of 1985.”

That last “Provided” clause in the section is a technical necessity that really has nothing to do with the actual CFATS extension.

I must admit that it is nice seeing a date-certain for the termination of CFATS authority rather than the previous ‘the date that is 5 years and 3 months after the effective date of this Act’.

The House concurred with the Senate amendment to HR 748, this afternoon. The press reports that the President signed it this evening.

COVID-19 Update for CFATS Program – 3-27-20


Today the CISA Infrastructure Security Compliance Division (ISCD) published a notice in the ‘Latest News’ section of the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center concerning the effect of the COVID-19 pandemic on the CFATS program. The notice also provides a link to a document providing additional information signed by Brian Harrell, the CISA Assistant Director for Infrastructure Security, the component of CISA in which the ISCD resides.

Knowledge Center Notice


The notice makes two essential points. First, earlier this week ISCD began postponing and rescheduling all site visits by ISCD Chemical Security Inspectors. This is being done in support of the isolation and social distancing prevention program in place across the country. The notice makes it clear that these inspections and assistance visits will resume as the COVID-19 pandemic eases.

Second, the notice reiterates that the CFATS regulations remain in effect and that facilities are still required to fulfill their reporting requirements and continue full implementation of their approved site security plans. With regards to the impact of the COVID-19 pandemic on their facilities, ISCD notes:

“We are encouraging facilities to consider what compensatory measures they may need to put in place to continue to secure their critical assets if their designated personnel are unable to perform their security duties due to illness or quarantine.”

Infrastructure Security Letter


Director Harrell’s letter re-emphasizes the comments made in the notice. It also provides responses to four questions that CISA expects facilities to be asking:

• When will I be contacted to reschedule inspections and visits?
• What should I do if our security has been impacted and I need assistance with compensatory measures?
• What should I do if my COI is missing or has been released?
• I am unable to complete my in-progress Top-Screen or Site Security Plan by the current due date due to COVID-19 response. How do I request an extension?

In response to the first question, Harrell makes an important point:

“In these rare cases, our personnel will coordinate with you in advance of arrival to discuss health and safety requirements in place at your facility.”

Commentary


I think that this is a reasonable response to an unexpected national emergency. The COVID-19 pandemic may have reduced the threat to chemical facilities from international terrorists; international travel has, after all, been severely impacted. It seems that there might be an increase in the threat from domestic terrorist action; there has been at least one preempted attack on a hospital that was related to the COVID-19 epidemic. Chemical facilities must remain vigilant, this applies to both chemical security and chemical safety vigilance.

Bills Introduced – 3-26-20


Yesterday with just the House in session (but not really in Washington, but not a proforma session) and the Senate in their COVID-19 recess, there were 14 bills introduced. One of those bills will receive future coverage in this blog:

HR 6395 To authorize appropriations for fiscal year 2021 for military activities of the Department of Defense and for military construction, to prescribe military personnel strengths for such fiscal year, and for other purposes. Rep. Smith, Adam [D-WA-9]

Did the Senate Kill CFATS Because of COVID-19?


See corrected information about this post here - https://chemical-facility-security-news.blogspot.com/2020/03/covid-19-cfats-extension.html [Added 0632 EDT, 3-28-20]

On Wednesday, the Senate passed HR 748 after amending it to become the Coronavirus Aid, Relief, and Economic Security Act. Everyone sighed with relief as the upper chamber actually came to an agreement. After taking care of some minor procedural matters, the Senate then took off for what we will end-up calling the COVID-19 Recess; they are not currently scheduled to return to Washington until April 20th, 2020.

There are, of course, proforma sessions scheduled through out the recess. This has become a standard practice (from well before Trump) to prevent the President from making recess appointments that would not require Senate advice and consent. While the House rules provide for some limited legislative activity during proforma sessions, the Senate used its normal proforma session language in escaping the potential Washington COVID-19 exposure; “with no business being conducted”. This means that no bills will be offered in the Senate and no action will be allowed on existing bills.

The Senate will meet in proforma session on each Monday and Thursday between today and April 16th. They are then next scheduled to meet in a real session on April 20th. This sounds good, the Senate is ‘setting the example’ on isolation and social distancing. Congratulations.

One small problem. The Chemical Facility Anti-Terrorism Standards (CFATS) program’s current authorization expires on April 18th, 2020. And, the Senate failed to take action on the House passed CFATS extension, HR 6160. Nor did it take action on either of the two CFATS bills before the Senate, S 3416 or S 3506 (which has yet to be published by the GPO). This means that no final action on extending the current authorization for the CFATS program is “possible” until April 20th, 2020.

Okay, I put ‘possible’ in quotes for a reason. Anyone that has watched Congress in action for as long as I have knows that there is always a way around the ‘rules’ of Congress. If Sen McConnel (R,TN) decides that HR 6160 needs to be passed before April 18th, he will find a way to pass it. And I do not think that there would be any serious opposition to that passage if it were to happen.

What happens if the Senate does not take action before April 18th? An interesting question. The 18th this year is on a Saturday, so for all practical purposes, nothing happens. The Senate could come back into session on the Monday, the 20th, pass HR 6160 and send it to the President, who would probably sign it that day. There would be some breath holding across the CFATS community, but nothing would really change.

But, even if they did not do that, it might not make a real difference. The CFATS program is currently funded, like the rest of the Federal government, until September 30th, 2020. There are a number of people who feel (myself included) that that provides de facto authority for the continued the operations of the CFATS program through the end of the fiscal year. I do not think that the Infrastructure Security Compliance Division would attempt to formally sanction anyone for CFATS violations during that period (thus forcing a court review of their authority), but I think that routine inspections, Top Screen reviews and Site Security Plan approvals would continue. And I do not think that there would be any serious objection from the regulated community.

And, on October 1st, when the continuing resolution continues to fund the federal government (there will certainly be one this year, perhaps for a full year because of COVID-19) the CFATS program funding and thus unofficial authority would likely continue.

Does this mean that CFATS reauthorization or extension is not needed? Certainly not. At some point ISCD will have to tell a facility to do something that the facility does not want to do and the courts would become involved. The court would then have to rule that the authority for the program had expired and that the facility was not obligated to do what it was told. Then the CFATS program would be dead. Congress does need to act.

Thursday, March 26, 2020

1 Advisory Published – 3-26-20


Today the CISA NCCIC-ICS published one control system security advisory for products from Advantech.

Advantech Advisory

This advisory describes a stack-based buffer overflow in the Advantech WebAccess HMI platform. The vulnerability was reported by Peter Cheng of Elex CyberSecurity. Advantech has a new version that mitigates the vulnerability. There is no indication that Cheng was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow remote code execution.

NOTE: I wonder if this could be the same vulnerability that was reported by Tenable back in December. Different CVE numbers, but that does not mean a lot. Not enough detail in the NCCIC-ICS report to really tell.

NIST Publishes NCCoE Notice on Validating the Integrity of Computing Devices


Today the National Institute of Standards and Technology published a notice in the Federal Register (85 FR 17043-17045) on “National Cybersecurity Center of Excellence (NCCoE) Validating the Integrity of Computing Devices Building Block”. NIST is inviting organizations to provide products and technical expertise to support and demonstrate security platforms for the Validating the Integrity of Computing Devices project.

According to the Notice: “The objective of this project is to produce example implementations to demonstrate how organizations can verify that the internal components of their purchased computing devices are genuine and have not been altered during the manufacturing and distribution process.” The components that NCCoE intends to look at in this block include:

• Computing devices, including laptops, servers, and mobile devices
• Configuration management software
○ vulnerability scanning
○ detection
○ patch management
○ version control
○ synchronization
○ firmware
• Asset inventory software
○ asset management
○ asset discovery
• Security information and event management (SIEM)
○ event detection
○ log management
○ exfiltration activity
○ unauthorized activity
○ anomalous activity
• Certificate authority

Organizations wishing to participate will have to submit a letter of intent describing how their products address one or more of the following desired solution characteristics:

• Use verifiable and authentic artifacts that manufacturers produce during the manufacturing and integration process.
• Detect malicious component swaps of the computing device.
• Manage the automation process when accepting the delivery of a computing device and throughout the operational lifecycle of the device.
• Inspect computing devices to verify that the components in a delivered (or in-use) system computing device match the attributes and measurements declared by the manufacturer.

A copy of a letter of intent template may contact Nakia Grayson via email to supplychain-nccoe@nist.gov.

Commentary


While this is primarily an IT related project at this point, it seems clear to me that control system components potentially have the same vulnerability to post design/manufacture modification that could compromise the security of the system in which the compromised component resides. This will be an interesting project to participate in and/or watch.

Wednesday, March 25, 2020

ISCD Updates Ownership Change FAQ


Today the CISA Infrastructure Security Compliance Division (ISCD) updated a frequently asked question (FAQ) response in the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. FAQ #1275 was changed; it was originally published in 2015 and most recently revised in 2017. FAQ #1275 asks:


Two different changes were made. There was an inconsequential name change substituting either ‘Cybersecurity and Infrastructure Security Agency’, ‘CISA’, or ‘Agency’ where the previous version used ‘DHS’. The second change is slightly more substantive.

In the Option 2 explanation the last two sentences were removed:

The buyer should also provide the new facility name, owner, operator, and parent company, as applicable. Facilities may edit this information themselves; however, the Department still requests a letter from the buyer and from the seller if possible.

 Then, the following language substituted:

To expedite the transfer, the buyer should provide in its letter, the new facility name, owner, operator, and parent company, as applicable. The buyer should also include the New Authorizer's name, email address, and phone number.

This is not a real policy change; it just provides some additional clarity.

S 3416 – Emergency Response Information Sharing


This is part of a series of blog posts on the recently introduced S 3416, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2020, which would modify and reauthorize the Chemical Facility Anti-Terrorism Standards (CFATS) program for five years. Other posts in this series include:


Information Sharing Strategy


The strategy that I discussed in yesterday’s post is also intended to address “the sharing of information with the local emergency manager, the local emergency response provider, and any on site emergency response provider for a covered chemical facility” {§6(a)}. That strategy would include “guidance on further improving outreach to the local emergency manager, the local emergency response provider, and any on site emergency response provider for a covered chemical facility” {§6(b)(3)}. That guidance would include requirements for:

• A statement of the name or title, organizational affiliation, and phone number of a local emergency manager or local emergency response provider, and any on site emergency response provider, for the covered chemical facility;
• The documented policy of the covered chemical facility to coordinate access to the facility with the local emergency manager, local emergency response provider, and any on site emergency response provider described in sub-paragraph (A), for purposes of training and pre-incident planning; and
• Written documentation by the covered chemical facility that the owner or operator has provided the local emergency manager or local emergency response provider with need to know (within the meaning of 6 CFR 27.400(e), or any successor thereto) and appropriate chemical-terrorism vulnerability information credentials the name and amount of each chemical of interest held, stored, or manufactured at the covered chemical facility.

Information Sharing Requirements


Section 15(a) amends 6 USC 622(e) by adding a paragraph (6), Sharing Information with Emergency Response Providers. This new paragraph would require DHS to “make available to State, local, and regional fusion centers and State and local government officials, including officials of State or local law enforcement agencies and emergency response providers” {new §622(e)(6)(B)} information that DHS determines is necessary “to ensure that emergency response providers are capable to effectively prepare for, respond to, and mitigate chemical security incidents at covered chemical facilities”. That information will include:

• The name of the covered chemical facility;
• The address of the covered chemical facility;
• The phone number of the covered chemical facility;.
• The name and Chemical Abstract Service number of each chemical of interest used, stored, or manufactured as specified in the Top-Screen submitted by the covered chemical facility;
• The quantity and concentration of each chemical of interest specified in the Top-Screen submitted by the covered chemical facility; and
• The name or title, organizational affiliation, and phone number of a local emergency manager or local emergency response provider for the covered chemical facility specified in the site security plan of the covered chemical facility.

The bill would require to DHS to use an existing “single information technology infrastructure, information technology platform, online platform, or website” {new §622(e)(C)(i)} for this required information sharing. Presumably this means the Infrastructure Protection Gateway that ISCD established in 2015.

DHS would be required to update this information every 90-days.

Emergency Responder Outreach


The new §622(e)(6) above would also require the Infrastructure Security Compliance Division (ISC) to conduct an outreach to local officials during compliance inspections or audits. Inspectors would be required to {new §622(e)(6)(E)}:

• Contact and notify the local emergency manager or local emergency response provider, and any on-site emergency response provider, identified by the covered chemical facility that there is a covered chemical facility in their response area; and
• Inform the response officials identified by the covered chemical facility of the available secure communications and information technology infrastructure platforms or other mechanisms to obtain additional information.

Commentary


I have two major concerns about the emergency response language in this bill; the lack of definition of key terms and the ‘need to know’ language used.

There are three new terms used in this bill about emergency responders that are unique to the bill and require definitions:

• Local emergency manager;
• Local emergency response provider; and
• On-site emergency response provider.

First-off, I think that the third term ‘on-site emergency response provider’ should be eliminated. If the facility management has not provided an on-site responder with necessary information about all of the chemicals on the site (not just those covered by the CFATS program), the facility has problems that need to be addressed by OSHA, not DHS.

Next, instead of the term ‘local emergency manager’ I would suggest that the terminology that should be used is “the head of the Local Emergency Planning Committee established under 42 USC 11001. Then, instead of ‘local emergency response provider’ the bill should use ‘the head of the fire department that provides coverage for the facility’. Actually, the second term is operationally redundant for most facilities as local fire departments are supposed to be represented on the local LEPC. But that is only true for ‘most’ facilities since there are a number of areas that have no LEPC or the LEPC is not really active.

The bill uses the phrase “with a need to know (within the meaning of section 27.400(e) of title 6, Code of Federal Regulations” to modify the term ‘emergency responders’ wherever there is a requirement to share information with those responders. Now, I understand the need to protect Chemical-terrorism Vulnerability Information (CVI) which is what §27.400 refers to, and ‘need-to-know’ is a key part of that protection.

The CVI information that DHS is required to share under the proposed §622(e)(6) is limited to:

• The name and Chemical Abstract Service number of each chemical of interest used, stored, or manufactured as specified in the Top-Screen submitted by the covered chemical facility; and
• The quantity and concentration of each chemical of interest specified in the Top-Screen submitted by the covered chemical facility

Both of these items of information should be available to the listed agencies via the Environmental Protection Agency. With that in mind, I would like to propose striking the phrase “with a need to know (within the meaning of section 27.400(e) of title 6, Code of Federal Regulations” wherever is used in §622(e)(6) and adding the following at the end of the paragraph:

(f) The information provided in (b) is presumed to be Chemical-Terrorism Vulnerability Information in accordance with 6 CFR 27.400. The individuals listed in (b) with whom that information is to be shared are deemed to have ‘need-to-know’ under §27.400(e)(i).

One final niggly bit; the inclusion of the requirements for the outreach to local emergency responders in §6 of the bill is more than a little confusing since the other part of that section deals with cybersecurity. The emergency response information share provision of § should have been included as part of §15 that proposes the addition of §622(e)(6) probably as part of §15(b).

Tuesday, March 24, 2020

2 Advisories Published – 3-24-20


Today the CISA NCCIC-ICS published two control system security advisories for products from Schneider and VISAM.

Schneider Advisory


This advisory describes two vulnerabilities in the Schneider Interactive Graphical SCADA System (IGSS). The vulnerabilities were reported by the Zero Day Initiative. Schneider has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Path traversal - CVE-2020-7478;
• Missing authentication for critical function - CVE-2020-7479

NCCIC-ICS reported that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow unauthorized access to sensitive data and functions.

NOTE: I briefly discussed these vulnerabilities earlier this month.

VISAM Advisory


This advisory describes five vulnerabilities in the VISAM VBASE automation platform. The vulnerabilities were reported by Gjoko Krstic of Applied Risk. VISAM has not responded to NCCIC-ICS inquiries about these vulnerabilities.

The five reported vulnerabilities are:

• Relative path traversal - CVE-2020-7008;
• Incorrect default permissions - CVE-2020-7004;
• Inadequate encryption strength - CVE-2020-10601;
• Insecure storage of sensitive information - CVE-2020-7000; and
• Stack-based buffer overflow - CVE-2020-10599

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to read the contents of unexpected files, escalate privileges to system level, execute arbitrary code on the targeted system, bypass security mechanisms, and discover the cryptographic key for the web login.

Monday, March 23, 2020

S 3416 Introduced – CFATS Reauthorization and Cybersecurity


Earlier this month Sen. Johnson (R,WI) introduced S 3416, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2020. The bill would modify and reauthorized the Chemical Facility Anti-Terrorism Standards (CFATS) program for five-years. While there are some similarities to S 3405 that Johnson introduced in the 115th Congress, it would not be fair to state that this is a re-write of that bill.

This is a complex bill that covers a wide variety of different topic related to the CFATS program. Those topics include:

• Employee input regarding security measures.
• Strategy to improve cybersecurity and outreach to local emergency responders.
• Site security plan assessments.
• Expedited approval program.
• CFATS recognition program.
• Standards for auditors and inspectors.
• Personnel surety program.
• Security risk assessment approach and corresponding tiering methodology.
• Amendments relating to Appendix A of part 27 of title 6, USC
• Bidirectional information sharing platform.
• CFATS security harmonization waiver program.

Cybersecurity


Rather than eliminate CFATS coverage of cybersecurity issues as was initially proposed in S 3405, §6 of the bill would require DHS to periodically (initially 1 year and then every 2 years) to publish “a strategy that includes the strategic and operational goals and priorities of the Department of Homeland Security for covered chemical facilities to improve the cybersecurity of covered chemical facilities” {§6(a)}. That strategy would include an assessment of cybersecurity threats to {§6(b)(1)}:

The information technology or operational technology affecting the security risk of a chemical of interest of the covered chemical facility;
Processes and operations relating to a chemical of interest (COI); and
Security measures of the covered chemical facility relating to a COI;

The strategy would also include “processes for periodic mitigation of (the) security vulnerabilities” {§6(b)(2)} affecting those areas listed above.

Additionally, §3 of the bill would amend the stated purpose of the CFATS program in 6 USC 622 to specifically include cybersecurity. Paragraph (a)(2)(C) would be amended to read:

(C) establish risk-based performance standards designed to eliminate or mitigate physical, cybersecurity, and hybrid physical-cybersecurity vulnerabilities in order to address high levels of
security risk at covered chemical facilities; and

Cybersecurity Definitions


Section 2 of the bill would add two new cybersecurity related definitions to 6 USC 621; ‘hybrid physical-cybersecurity vulnerability’ and ‘security vulnerability assessment’.

The term ‘hybrid physical-cybersecurity vulnerability’ is defined as “a vulnerability in the security of a covered chemical facility that relates to the combination of the physical operations and cybersecurity operations of the covered chemical facility” {new §621(10)(A)}. It would also include a vulnerability of a covered chemical facility to {new §621(10)(B)}:

A physical threat to a cybersecurity operation affecting the chemical of interest of the covered chemical facility; or
A cybersecurity threat to a physical operation of the covered chemical facility.

The second term, ‘security vulnerability assessment’, is defined as an assessment of the vulnerabilities of a covered chemical facility to physical threats and cybersecurity threats to the information technology or operational technology of the covered chemical facility as those technologies relate to {new §621(12)(ii)}:

A chemical of interest;
An operation involving a chemical of interest; or
A security measure of the covered chemical facility;

Moving Forward


Johnson is the Chair of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. Typically, this would ensure that this bill would receive coverage by that Committee. The bill was initially listed as being included in the Business Meeting that occurred right after the bill was introduced, but it was removed from the agenda shortly thereafter. I discussed this in some detail in my earlier post about that hearing.

I will be very surprised if this bill does get considered in Committee. While it looks like Johnson has made several attempts to address the concerns of Democrats in this bill (more on those is subsequent posts), there are still changes that the opposition party would like to see made in this bill. If the bill is brought up, I would expect to see substitute language offered by Johnson to address at least some of those concerns.

As I mentioned earlier, the only way that this bill is going to make it to the floor of the Senate, is for it to be considered under the Senate’s unanimous consent process. A single Senator can stop that process by objecting and those objections need not have anything to do with the provisions of the bill. This has been a contentious session of Congress and the COVID-19 epidemic is not making it any less so.

The introduction of S 3506 (the language for which is still not available) by Sen. Lankford (R,OK), a Subcommittee Chair on the HGSA is, it seems to me, a clear recognition that S 3416 will not move forward.

Commentary


While I do not think that this bill will move forward, I will still be making additional posts about the provisions of this bill as it is an interesting look at the changes in Johnson’s outlook on the CFATS program.

The cybersecurity provisions are an important case in point. First off, Johnson has made a complete turnaround on his support for cybersecurity coverage in the Program from last session. Where he was prepared to eliminate cybersecurity coverage, he is now making it a key point in the purpose and scope of the program. Nothing in this bill will directly require a change in the current cybersecurity processes in the CFATS program or individual site security plans, but it does specifically require DHS to take a hard look at those processes and security measures and periodically re-address them in the future.

Second, Johnson’s emphasis on cybersecurity in this CFATS reauthorization bill (and in fact, the actual publication of the bill at all) is a direct slap at the President’s attempt to deauthorize the CFATS program and use its inspectors as additional Protective Security Advisors. If there were any thought that Congress was going to go along with this eradication of the CFATS program, this bill is certainly a clear sign that it is not going to happen without a fight.

The one odd thing about the ‘new’ cybersecurity review requirements under §6 is the conspicuous absence of the Cybersecurity and Infrastructure Security Agency (CISA). While the program is currently included under the ‘infrastructure security’ wing of the Agency, the bill keeps referring to the ‘Secretary’ as being the responsible party for effecting changes in the program. I thought that the whole purpose of elevating the old NPPD to Agency status was to raise the status and level of responsibility for the newly crowned Director.

I am particularly happy to see Johnson acknowledge that there are three components to cybersecurity at chemical facilities, IT security, OT security and Security security, the cybersecurity of facility security controls. While there are certainly those in the control system security field that will object to the use of ‘operations technology’ to describe the full gamut of the control system security realm, it is important to note that Johnson (not a techy) is apparently using the undefined term in the broadest sense. And I like the way that he spells out the dual importance of physical security of cybersecurity controls and the cybersecurity of physical security controls.

There is a lot of interesting stuff in this bill, and it is a shame that the effort currently appears to have been wasted.

Saturday, March 21, 2020

Public ICS Disclosures – Week of 3-14-20


This week we have four vendor disclosures for products from Bosch, Schneider, Moxa and Eaton. There are also two interesting cybersecurity related announcements from Phillips and Meinberg.

Bosch Advisory


Bosch published an advisory describing an improper input validation vulnerability in the Bosch Rexroth S20-PN-BK+/S20-ETH-BK fieldbus couplers. The vulnerability is in a third-party component of the devices from Phoenix Contact that was originally reported in September 2018. Bosch provided generic controls to mitigate the vulnerability. These are the same controls recommended by Phoenix Contact.

Schneider Advisory


Schneider published an advisory describing an injection vulnerability in their Modicon Controllers, EcoStruxure™ Control Expert and Unity Pro Programming Software. The vulnerability was reported by Airbus Cybersecurity. Schneider has hotfixes available to mitigate this vulnerability.

Schneider reports that:

“Since alerting us to the vulnerability, Airbus Cybersecurity and Schneider Electric have collaborated to validate the research and to assess its true impact. Our mutual findings demonstrate that while the discovered vulnerability affects Schneider Electric offers, it equally impacts many other vendors and the global industrial automation market in general, especially when the baseline assumption of the attack technique Airbus Cybersecurity demonstrated is considered. Given certain conditions, and assuming an attacker has access to the network, many devices available from several different industrial control vendors are likewise vulnerable.”

Schneider provides links to the Airbus Cybersecurity site and blog for further details. As of this morning I can find nothing on that site.

Moxa Advisory


Moxa published an advisory describing two vulnerabilities in the Moxa OnCell Central Manager Cellular Management Software. The vulnerability was reported by Sergey Temnikov from Kaspersky ICS CERT. These vulnerabilities are in a third-party component; Apache Flex BlazeDS. Moxa has a security patch that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Deserialization of trusted data - CVE-2019-15696 (Apache CVE-2017-5641); and
• Information exposure - CVE-2019-15697 (Apache CVE-2015-3269)

The CVE links are to the Kaspersky advisories. Kaspersky has provided the original CVE numbers for the underlying vulnerability. There is at least one publicly available exploit for the original information exposure vulnerability.

Eaton Advisory


Eaton published an advisory describing an eval injection vulnerability in the Eaton  UPS Companion software. The vulnerability was reported by Ravjot Singh Samra. Eaton has a new version that mitigates the vulnerability. There is no indication that Samra has been provided an opportunity to verify the efficacy of the fix.

Cybersecurity Announcements


Phillips published a notice announcing that the Philips Security Center of Excellence was named the first medical device manufacturer to receive a new Underwriters Laboratories (UL) product cybersecurity testing certification (UL IEC 62304).

Meinberg published a notice concerning their continued operations during the COVID-19 outbreak.

Commentary


It is not unusual to see third-party vulnerabilities being reported in control systems. The two reports today are disheartening because of the elapsed time between the reporting of the underlying vulnerability and this week’s advisories. The use of third-party software and libraries is almost unavoidable in the current development environment; companies just cannot afford (time or money) to write complex software from scratch.

We expect manufacturers to watch for vulnerability announcements for the equipment and software they use in their manufacturing processes and then conduct a risk assessment to determine if that vulnerability provides an unacceptable risk to their operations. We need to expect control system vendors to perform the same sort of process. Perhaps companies buying control system components should be asking their vendors to describe their process for identifying and fixing third-party vulnerabilities in their products.

Friday, March 20, 2020

Where is NVIC 01-20 – MTSA Cybersecurity Guidance?


Yesterday the Federal Register Public Inspection web site announced that the Federal Register would publish a Coast Guard notice today on “Navigation and Vessel Inspection Circular: Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act Regulated Facilities”. According to the (formally) unpublished copy of that notice this would be NVIC 01-20. That notice did not show up in today’s Federal Register, at least it was an hour ago.

As I write this today’s issue of the Federal Register is ‘not available’. It was available earlier and the copy of the two emails that I received on today’s FR publication have been withdrawn.

Hold, just got an email from the Office of the Federal Register (the second one today, the first was erased) announcing the Federal Register Table of Contents for today and it does list the Coast Guard notice (more on that later).

It will be interesting to see if the National Archives has anything to say about this.

I am very concerned about the Federal Register making changes to their official publication site without making announcements. We are supposed to be able to rely on the accuracy of the Federal Register. That is now called into question.

Thursday, March 19, 2020

2 Advisories Published – 3-19-20


Today the CISA NCCIC-ICS published one control system security advisory for products from Systech Corporation and one medical device security advisory for products from Insulet.

Systech Advisory


This advisory describes a cross-site scripting vulnerability in the Systech NDS-5000 Terminal Server. The vulnerability was reported by Murat Aydemir at Biznet Bilisim AS. Systech has a new firmware version that mitigates the vulnerability. There is no indication that Aydemir has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow information disclosure, limit system availability, and may allow remote code execution.

Insulet Advisory


This advisory describes an improper access control vulnerability int eh Insulet Omnipod Insulin Management System. The vulnerability was reported by Thirdwayv Inc. Insulet provides generic mitigation measures to address the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access (this is an RF intercept problem so – remote access?) could use a publicly available exploit to abuse (sorry, I did not want to repeat the word ‘exploit’; trying this on for size) the vulnerability.

NOTE: It looks like this ‘exploit’ is being developed by an unauthorized user group to expand the options for using the Insulet OmniPod insulin pump.



COVID-19 Chemical Facility Shutdowns


Earlier today an interesting TWEET® from @Kulinowski, the Interim Executive Director of the Chemical Safety Board (CSB) pointed at a valuable document in the CSB archives; “Safety Digest: CSB Investigations of Incidents during Startups and Shutdowns”. It looks at three incidents investigated by the CSB where three major accidents that occurred during startups and shutdowns. Kulinowski noted in her TWEET that: “Should a facility determine it is safer to suspend operations due to coronavirus, extra care must be taken to do so safely.”

She is, of course, absolutely correct, but with COVID-19 shutdowns being for indeterminant periods, careful planning needs to be applied to the period between shutdown and startup. Specific attention needs to be paid to the safety and security of chemicals remaining at the facility during the shutdown. Emergency response planning, both onsite and off, also deserves special scrutiny.

Chemical Safety


Each chemical held on site will have its own unique storage requirements for safely holding the chemicals for an indeterminant length of time. Management needs to determine those needs for each chemical held on site and determine the safety critical and quality critical storage requirements for each. Detailed monitoring plans need to be put into place for safety critical storage conditions with specific response plans should conditions approach safety critical limits.

Monitoring quality critical requirements is not as important on a real-time basis, but quality control testing of materials that were stored outside of normal standards could be an important safety step in the facility startup process. This is very important when auto-reaction or decomposition products could affect the control of startup or production processes.

Plans for either on-site or remote monitoring will have to take into account personnel status changes due to either COVID-19 quarantine or illness of the individuals involved. While on-site isolation of the monitoring team might seem to be a way to avoid subsequent COVID-19 problems, managers need to remember that individuals may transmit the disease up to four-days prior to showing symptoms.

Chemical Security


Chemical security issues, either regulatory or otherwise, are not going to go away during an extended facility shutdown. In fact, criminals or terrorists might decide that shutdown facilities are easier targets due to the decreased number of personnel on site. The eyes and ears of employees moving about the facility during normal operations is a valuable part of the security surveillance system at any facility. The lack of the presence of those employees at the facility will have to be taken into account in a review of the post-shutdown security procedures.

The updated security plan is also going to have to take into account the changing COVID-19 status of personnel involved in on-site patrolling, off-site monitoring and security response. It is very important to ensure that new personnel being brought onto the site are fully briefed on the chemical safety requirements for the facility.

Closed Facilities


It is almost inevitable that there will be facilities that transition from shut-down to closed if the COVID-19 problem persists for very long. With some medical researchers saying that social isolation requirements may need to stay in place for as much as 18 months, there will certainly be companies that go out of business during their COVID-19 shutdowns. It is unlikely that these facilities will undergo an orderly closing process with the removal of unsafe chemicals or chemicals with security issues.

Local governments are going to have to plan for monitoring such facilities after they close and stop funding the shutdown operations. Security companies are likely to be the first reporters of the change in status at these facilities. Law enforcement and emergency responders will need to monitor chemical facilities in their jurisdictions for this potential transition.

Unpredictable Future


COVID-19 is providing an epidemic of proportions that have not been seen since the 1918 flu epidemic. The fact that COVID-19 is transmissible before symptoms show are causing response problems at all levels of society. Chemical facilities need to take this into account and be prepared to update their shutdown plan on almost a daily basis. Planning also needs to take into account the unthinkable; going out of business. Coordination with suppliers, customers and local officials needs to be close and continuous.

And one final item for consideration. The national supply of chemical-qualified truck drivers, particularly those with hazardous material endorsements is already too low. As COVID-19 starts to take its toll on that relatively small community, transportation issues will be an increasing burden on chemical facilities.

HR 6186 Introduced – Chemical Background Checks


Last week Rep Weber (R,TX) introduced HR 6186, the Expedient Workforce Screening Act of 2020. The bill would require the FBI to establish the National Criminal History Chemical and Refining Background Check Program.

Definitions


Section 6 of the bill provides the key definitions. The terms defined include:

• Authorized agency;
• Qualified entity;
• Qualified educational entity; and
• Criminal history record information

The two ‘qualified’ definitions provide limits on who would be able to request criminal history record information from the program.

The term ‘qualified entity’ means an entity that “provides natural gas or petroleum chemical manufacturing or refining-related services, including connecting terminals and pipelines” {§6(2)(A)}. This portion of the definition also specifically states that it is not limited to facilities that are covered under the Chemical Facilities Anti-Terrorism Standards (CFATS) or Maritime Transportation Security Act (MTSA) programs. The second part of the definition provides that the entity must be approved by the FBI to submit the request.

The term ‘qualified educational entity’ describes an American owned §501(c)(3) school or industrial safety training facility that is “recognized by the Attorney General to provide assistance to qualified entities under section 3” {§6(3)(C)}, the National Criminal History Chemical and Refining Background Check Program.

The term ‘criminal history record information’ means “means information collected by criminal justice agencies on individuals, consisting of identifiable descriptions and notations of arrests, detentions, indictments, infractions, or other informal criminal charges, and any disposition arising therefrom, including acquittal, sentencing, correctional supervision, and release” {§6(5)}. The term specifically does not include identifying information, including fingerprints, if that information “does not indicate the individual’s involvement with the criminal justice system.”

The Program


Section 3 of the bill outlines the Program. The Program would “permit qualified entities to request national criminal history background checks for the purpose of obtaining identification authentication and criminal history background check information of individuals seeking access to a qualified entity” {§3(a)}. It would allow a qualified entity to “request a national criminal history background check directly through the FBI” {§3(b)}.

Qualified educational entities may assist in the “identification authentication of individuals seeking access to a qualified entity” {§3(c)(1)}. They may also assist in “setting criminal history record information standards for access to qualified entities” {§3(c)(2)}.

The FBI may recoup the cost of “the cost of building, maintaining, and enhancing an appropriate Federal and State infrastructure for the national criminal history background check system” {§3(e)} by charging qualified entities a fee to request criminal history record information.

Section 4 of the bill provides that this legislation does not require anyone to use the Program, nor does it limit anyone else from providing criminal background checks.

Moving Forward


Weber is not a member of the House Judiciary Committee to which this bill was referred for consideration. This means that it is unlikely that the bill will be considered in Committee. I suspect that the bill would be opposed by many Democrats because of the lack of privacy protections and the failure of the bill to provide a mechanism for individuals to review and appeal information held by the Program. If the bill were to be considered in Committee, it would be unlikely to be approved without substantial revision.

Commentary


This is an odd little bill. The need for a centralized criminal record database for use by employers is becoming more obvious, especially for critical infrastructure facilities. Unfortunately, I do not think that this bill meets that need.

The definition of ‘qualified entity’ is odd and convoluted. It is obviously limited to the oil and gas industry, but there is no explanation of why it is limited that way. There are any number of different industries that are required to perform criminal background checks. The CFATS program mentioned in the bill is certainly one Federal regulatory program that requires facilities outside of the oil and gas industry to conduct criminal background checks on employees and those requesting unaccompanied access to covered facilities.

Most ‘qualified entities’ do not do their own criminal background checks; they typically hire some sort of consumer reporting agency to do that as part of the employee screening process. This bill does not address the use of third-party agencies requesting criminal background checks on behalf of ‘qualified entities’ other than to mention them in passing in the §4 rules of construction as not being required to use the Program.

And this whole business of ‘qualified educational entity’ is more than a little suspect. Why would the Program need to address identification authentication standards or criminal history standards as it pertains to authorizing access to qualified entities? A criminal background check is simply an information report on data held by governmental organizations. How that information is used by qualified entities to determine who has access to their facilities is a completely separate matter that is not under the purview of the FBI.

This bill certainly deserves the quiet dusty death of legislative apathy that is the destiny of most legislation proposed in Congress.

Wednesday, March 18, 2020

NTIA to Host Meeting on Software Component Transparency – 4-15-20

Today the Department of Commerce’ National Telecommunications and Information Administration (NTIA) published a meeting notice the Federal Register (85 FR 15435-15436) concerning the “Multistakeholder Process on Promoting Software Component Transparency”. This will be a virtual meeting on April 15th, 2020 from 10:00 am to 4:00 pm EDT.

NTIA acts as the host for the Multistakeholder process that is looking at the security issues related to the use of third-party components in software development. The process kicked off in July 2018. The “NTIA Software Component Transparency” web site provides a good overview of the multiple meetings that have been held since that date as well as a look at the ongoing activities of the various working groups.

According to today’s notice:

“The main objectives of the April 15, 2020, meeting are to share progress from the working groups; to give feedback on the ongoing work around technical challenges, tooling, demonstrations, and awareness and adoption; and to begin discussions around potential guidance or playbook documents.”

Details on how to participate in the virtual meeting will be published on the Software Component Transparency web site closer to the meeting date. The meeting will be open to the public on a first-com-first-serve basis.

HR 6113 Introduced – ARPA-H2O


Earlier this month Rep Katko (R,NY) introduced HR 6113, the ARPA–H20 Act of 2020. The bill would establish an Advanced Research Projects Administration – Water (ARPA-H2O) within the Environmental Protection Agency. ARPA-H2O would be tasked with enhancing, “through the deployment of advanced technologies, the treatment, monitoring, delivery, affordability, and safety” {§2(a)} of drinking water systems.

Definitions


Section 5 provides key definitions used in the bill. This is especially important in a bill like this that stands alone, not an amendment of a current statute or law.

The defined terms include:

• ARPA-H2O;
• Eligible entity; and
• Water systems

The definition of water systems is probably the most important definition provided. It is defined as an entity that {§5(4)}:

• Serves the public;
• Manages the supply, treatment, or conveyance of:

Drinking water;
Wastewater and water resource recovery;
Stormwater; or
Water reuse; and

• Large decentralized systems that provide treatment for two or more households.

Research Advisory Council


Subsection 2(b) would require ARPA-H2O to establish a twelve-member Research Advisory Council to recommend program content and annual research priorities. The members would represent:

• Public and private water systems including large decentralized systems;
• Academia;
• National nonprofits and organizations that represent the water sector and collaborate with the EPA;
• Public or private entities engaged in technology development, deployment, or consultation to enhance delivery, reliability, affordability, and safety of the operations of water systems; and
• Relevant Federal agencies.

Eligible Projects


Subsection 3(b) provides a list of projects that could be eligible for research support by ARPA-H2O. They include:

• Water technologies that may improve efficiency and resiliency of water systems, lower lifecycle costs or reduce energy consumption of water systems treatment and conveyance.
• Methods to detect, monitor, and address contaminants present in drinking water or waste- water.
• Methods to advance nutrient management for source water protection.
• Resource recovery of marketable products derived from water systems including, but not limited to, nutrient, biosolids, energy, metals, and recycled water.
• Advancements in beneficial reuse and desalination that support the diversification of water supplies.
• Approaches to mitigation, containment, and treatment of stormwater.
• Methods to test, treat, and study the impacts of emerging contaminants.

Moving Forward


Neither Katko nor his single cosponsor {Rep Kildee (D,MI)} are member of the House Science, Space, and Technology Committee to which this bill was assigned for consideration. This means that the bill is unlikely to be considered by that Committee. If it were considered, I suspect that there would be some level of bipartisan support for the legislation.

Commentary


Let’s get a nit-picky complaint out of the way. The first two definitions in §5 reference back to “subsection (a)”. There is no subsection (a) in §5. What the reference should be is to “section 2(a)”.

Since the EPA is congressionally mandated as the agency that is responsible for the security of water systems and wastewater systems, it would seem to me that security research, particularly cybersecurity research, should be an important purview of ARPA-H2O. To that end I would like to suggest the following language be inserted as a new paragraph in §3(b):

(9) Security technologies to prevent physical attacks or cybersecurity threat (as that term is defined in 6 USC 1501) on water supplies, distribution systems, water treatment chemicals or administrative systems that support efficient distribution of drinking water; and

Bills Introduced – 3-17-20


With just the Senate in session this week there were 12 bills introduced yesterday. One of those bills will receive future coverage in this blog:

S 3506 A bill to extend the Chemical Facility Anti-Terrorism Standards Program of the Department of Homeland Security, and for other purposes. Sen. Lankford, James [R-OK]

It is odd to see this bill introduced when there is already a House passed bill, HR 6160 (an official copy of the bill is now available), available for action. Lankford is the Chair of the Subcommittee on Regulatory Affairs and Federal Management of the Senate Homeland Security and Governmental Affairs Committee. That would be the Subcommittee ‘responsible’ for the CFATS program, but based upon past work on CFATS I would have expected Chairman Johnson (R,WI) to be the author of an ‘official’ committee bill. We will have to wait a couple of days to see what this bill actually says. I expect that it will be a shorter-term extension; maybe until November?

Tuesday, March 17, 2020

1 Advisory Published – 3-17-20


Today the CISA NCCIC-ICS published one control system security advisory for products from Delta Electronics.

Delta Advisory


The advisory describes two vulnerabilities in the Delta Industrial Automation CNCSoft ScreenEditor. The vulnerability was reported by Natnael Samson (@NattiSamson) and kimiya, working with the Zero Day Initiative. Delta has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-7002; and
• Out-of-bounds read - CVE-2020-6976

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to cause buffer overflow conditions that may allow information disclosure, remote code execution, or crash the application. According to the ZDI advisories (here, here and here) the vulnerabilities are remotely exploitable.

Commentary


The two different ZDI advisories for the buffer overflow vulnerability show slightly different descriptions of the vulnerability. Both describe parsing problems in DBP files. The kimiya advisory appears to be slightly more generic where the Samson advisory specifies that the problem lies in parsing the GifName information in DPB files. There is a possibility that there are two separate vulnerabilities here. This is where it would be helpful to have the researchers verify the efficacy of the fix. We could have a situation here where the more specific vulnerability was fixed, but the more generic problem remains.

 
/* Use this with templates/template-twocol.html */