Saturday, October 31, 2020

OIRA Approves CISA COVID-19 Tracing Reporting Form

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced [.PDF download link] that it had approved an information collection request (ICR) from the DHS Cybersecurity and Infrastructure Security Agency (CISA) for a “COVID-19 Tracing Reporting Form”. CISA will use this ICR to collect voluntary information on digital contact tracing tools (DCTT) used by various State and local government agencies to track potentially affected personnel during the COVID-19 pandemic. This ICR was submitted to OIRA earlier this week on an emergency basis without the standard publish, comment and review process.

According to the ICR supporting document [.PDF download link], CISA will use this information to conduct an initial assessment of “the vulnerabilities and mitigation options needed to conduct a safe digital contact tracing campaign in order to provide best practices for the public for the most popular types of tools used by stakeholders”. That document further explains (pg 1):

“In response to the enduring nature of the pandemic, state, local, tribal and territorial (SLTT) governments and owners and operators of critical infrastructure, have been developing, promoting, and using various forms digital contact tracing tools as a key part of their virus response. However, this is the first use of these digital tools at a large scale or for the purposes of contact tracing. This novel use of existing technology paired with the federal nature of the United States creates a patchwork of digital contact tracing programs and tools that use different means, have different security, and collect different information.  To help provide order to this issue and best practices on how to employ these new technologies, CISA needs to know what digital contact tracing tools these entities are employing. Many SLTT governments have already employed or are considering employing a digital contact tracing tool.  CISA needs additional back-end development information, which can only be done through a survey, on the type of contact tracing tool used in order to provide cybersecurity and best practices for the large and varied digital contact tracing landscape.”

CISA expects to receive 166 responses to this voluntary survey (draft form located here - .PDF download link, file can only be read via Adobe Reader 8 or higher, it will not download if you are using another .PDF reader). They expect 60 responses from State, local, tribal, and territorial (SLTT) government agencies and 106 responses from the private sector (presumably application developers?).

CISA is expected to publish an ICR collection notice in the Federal Register in the coming week to support this emergency ICR.

Public ICS Disclosures – Week of 10-24-20

This week we have three medical device manufacturers (BD, Philips, and Spacelabs) publishing advisories related to the government’s warning about Ryuk ransomware. There are two new vendor advisories for the CodeMeter vulnerabilities for products from ENDRESS+HAUSER and TRUMPF. We also have three additional vendor disclosures for products from WAGO and Moxa (2).

Ryuk Ransomware

BD published an advisory for the Ryuk ransomware. The advisory provides a list of products that have been susceptible to the five common vulnerabilities used to infect systems with the ransomware. Versions are available that mitigate those vulnerabilities.

Philips published an advisory for the Ryuk ransomware. Philips is specifically evaluating the Netlogon vulnerability as part of their look at this problem.

Spacelabs published an advisory for the Ryuk ransomware. The advisory provides a description of the potentially affected products, but no direct impact is reported.

CodeMeter Advisories

CERT-VDE published an advisory for the CodeMeter vulnerabilities in products from ENDRESS+HAUSER. The advisory provides a list of affected products and recommends applying the WIBU Systems updates.

CERT-VDE published an advisory for the CodeMeter vulnerabilities in products from TRUMPF. The advisory provides a list of affected products. TRUMPF is working on updated versions that will mitigate the vulnerabilities.

WAGO Advisory

CERT-VDE published an advisory describing an uncontrolled resource consumption vulnerability in the WAGO 750-88x and 750-352 PLC families. The vulnerability was reported by William Knowles of Applied Risk. WAGO has a new firmware version that mitigates the vulnerability. There is no indication that the Knowles has been provided an opportunity to verify the efficacy of the fix.

Moxa Advisories

Moxa published an advisory describing a privilege escalation via Web console vulnerability in their NPort 5100A Series serial device servers. The vulnerability was reported by Nikita Firsov. Moxa has a new firmware version that mitigates the vulnerability. There is no indication that Firsov has been provided an opportunity to verify the efficacy of the fix.

Moxa published an advisory describing an improper restriction of operations vulnerability in their EDR-G903, EDR-G902, and EDR-810 Series Secure Routers. The vulnerability was reported by Xinjie Ma from Chaitin Security Research Lab. Moxa has new firmware versions that mitigate the vulnerability. There is no indication that Xinjie has been provided an opportunity to verify the efficacy of the fix.

Thursday, October 29, 2020

2 Advisories and 2 Updates Published – 10-29-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Mitsubishi. They also updated two advisories for products from WECON and Mitsubishi.

MELSEC iQ-R Advisory

This advisory describes six vulnerabilities in the TCP/IP stack of the Mitsubishi MELSEC iQ-R Series EtherNet/IP Network Interface Module. The vulnerabilities are self-reported. The Mitsubishi advisory reports that they have new versions that mitigate the vulnerabilities.

The six reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2020-5653,

• Session fixation - CVE-2020-5654,

• Null pointer dereference - CVE-2020-5655,

• Improper access control - CVE-2020-5656,

• Argument injection ­- CVE-2020-5657, and

• Resource management errors - CVE-2020-5658

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to  result in network functions entering a denial-of-service condition or allow malware execution.

MELSEC iQ-R, Q and L Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELSEC iQ-R, Q and L Series CPU modules. The vulnerability is self-reported. The Mitsubishi advisory reports that they have new firmware versions that mitigate the vulnerability in some of the affected products.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition in the Ethernet port on the CPU module.

WECON Update

This update provides additional information on an advisory that was originally published on August 25, 2020 and most recently updated on October 20th, 2020. The new information includes adding Tran Van Khang - khangkito of VinCSS to the list of researchers involved in reporting the vulnerabilities.

Mitsubishi Update

This update provides additional information on an advisory that was originally reported on October 8th, 2020. The new information includes updated version and mitigation information for the following modules:

• R00/01/02CPU,

• R04/08/16/32/120CPU,

• R04/08/16/32/120ENCPU, and

• R08/16/32/120SFCPU

Wednesday, October 28, 2020

TSA Extends HME Renewal Exemption – 10-28-20

Today the Transportation Security Administration (TSA) published a notice in the Federal Register (85 FR 68357-68358) providing a further exemption for States to allow holders of a Hazardous Material Endorsement (HME) for a commercial drivers license to extend that HME for 180-days without requiring a new security threat assessment. The exemption would be extended through December 31st, 2020. This exemption was initiated in March and earlier renewed in July. This extension, like the earlier TSA revision of surface transportation security training compliance dates, has been undertaken due to the impact of the COVID-19 pandemic.

The extension would allow States to provide a 180-day renewal extension without requiring a new security threat assessment for HME’s that expire after March 1st, 2020. The new termination date for that authority would be December 31st, 2020. HME holders would still be required to begin the security threat assessment process 60-days before the end of the State granted exemption.

The notice does make it clear that individuals “who were eligible for an extension of their HMEs during the initial exemption may continue to be eligible under this notice of extension of the exemption.” However, HME holders that were granted extensions in April and May of this year would have been required to have already begun the security threat assessment process to meet the 60-day deadline, so they may not need the new extension.

Tuesday, October 27, 2020

1 Advisory Published – 10-27-20

Today the CISA NCCIC-ICS published a control system security advisory for products from SHUN HU Technology.

SHUN HU Advisory

This advisory describes two vulnerabilities in the SHUN HU JUUKO Industrial Radio Remote Control system. The vulnerabilities were reported by Marco Balduzzi, Philippe Z Lin, Federico Maggi, Jonathan Andersson, Akira Urano, Stephen Hilt, and Rainer Vosseler via the Zero Day Initiative. SHUN HU has a new firmware version that mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authentication bypass by capture replay - CVE-2018-17932, and

• Command injection - CVE-2018-19025

NCCIC-ICS reports that a relatively low-skilled attacker with access to an adjacent network could exploit this vulnerability to allow attackers to replay commands, control the device, view commands, and/or stop the device from running.

Bills Introduced – 10-26-20

Yesterday, with the Senate finishing up their unusual and controversial October sessions, there were 30 bills introduced. One of those bills may see additional coverage in this blog:

S 4869 A bill to require software marketplace operators and owners of covered foreign software to provide consumers with a warning prior to the download of such software, to establish consumer data protections, and for other purposes. Sen. Rubio, Marco [R-FL] 

While I suspect that this bill is targeted at consumer applications, I will be watching for language and definitions that could include control system software and applications in the coverage of the bill. I also suspect that this is targeted at Chinese developed software, but language and definitions could make that targeting problematical.

Saturday, October 24, 2020

TSA Amends Surface Security Training Compliance Dates

The TSA published a notice in Monday’s Federal Register (available online today; 85 FR 67681-67683) announcing the extension of compliance deadlines for the “Security Training for Surface Transportation Employees” final rule. This notice further extends one of the compliance deadlines that was revised in May. Both sets of extensions were established because of complications in the transportation sector due to the COVID-19 pandemic.

In this latest extension the TSA keeps the effective date of the regulation at the extended date of September 21st, 2020. The deadline for notifying TSA of applicability determination (1570.105) remains October 21st, 2020. The deadline for providing security coordinator information (49 CFR 1570.201) remains October 28th, 2020. The notice states that the deadline for §1570.203 (security incident reporting requirement) compliance has not been changed. There was no specific date set in the regulation for that requirement, so the effective date for that requirement is the effective date of the regulation; 9-21-20.

The only change then is the deadline for submission of security training program to TSA for approval {§1570.109(b)}; it is being changed from December 21st, 2020 to March 22nd, 2021.

TSA is making this change in the regulation without going through the publish and comment process under provisions of 5 USC 553 (b) and (d). They note that:

“TSA has good cause to delay the compliance deadline for submission of security training programs without advance notice and comment or a delayed effective date. To delay taking this action while waiting for public comment would be impracticable and contrary to the public interest. The owner/operators subject to the requirements of the final rule need immediate certainty regarding the deadlines of the final rule so that they may focus on other urgent issues affecting their operations.”

Public ICS Disclosures – Week of 10-17-20

We have one new vendor disclosure this week for products from HMS. We also have three vendor updates for products from Rockwell and Schneider (2). We also have news of a possible cyberattack on Softing, a control system vendor.

HMS Advisory

HMS published an advisory discussing the BLURtooth vulnerability. HMS reports that none of their products are affected by this vulnerability.

NOTE: The BLURtooth vulnerability is a currently unpatched vulnerability in some implementations of the Bluetooth standard that allows attacker-in-the-middle exploits. I expect that we will be seeing more vendor communications about this vulnerability in the coming weeks, especially from medical device manufacturers where the use of Bluetooth is more common.

Rockwell Update

Rockwell published an update for their advisory on OSIsoft PI System vulnerabilities that was originally published on May 12th, 2020. The new information includes new version information for vulnerability mitigation.

Schneider Updates

Schneider published an update for their Ripple20  advisory. The new information includes:

• Adding remediation for “EGX150/Link150 Ethernet Gateway”, “Acti9 PowerTag Link / HD”, “Acti9 Smartlink SI D”, and “Acti9 Smartlink SI B”, and

• Adding PowerLogic EGX100 to affected products list.

Schneider published an update for their APC by Schneider Electric Network Management Cards advisory that was originally published on June 23rd, 2020 and most recently updated on September 1st, 2020. The new information includes updated overview section, available remediations and affected products tables (some affected products were moved from the above advisory to this one).

Vendor News

When I checked the Softing advisory web page today an interesting popup appeared. It said:

“IMPORTANT NOTE:

“Softing AG fell victim to targeted cyber attacks through no fault of its own. Unknown perpetrators have invaded the internal networks. In order to avoid possible damage to the IT infrastructure, we have severely restricted the external communication options.

“For urgent inquiries we are still available to our customers under the following contact details:

“Softing Industrial Automation: +49 15119489547”

A brief Google® search reveals no news items about this attack.

As always with an attack on a control system vendor we have to be concerned about the potential product security problems that could arise from the compromise of the system. Access to product source code could allow for easier vulnerability detection by the attacker or even possible modification of that source code to insert vulnerabilities. Access to vendor web site code could allow for the establishment of drive-by code. None of the above is a given, but it does provide an area for potential concern, particularly if the company is not completely forthcoming about the extent of the attack. Hopefully we are just be early in the news cycle on this attack and more information will become publicly available in the coming days.

Thursday, October 22, 2020

2 Advisories Published – 10-22-20

Today the CISA NCCIC-ICS published two medical device security advisories for products from B. Braun Melsungen AG.

SpaceCom Advisory X

This advisory describes eleven vulnerabilities in the B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus products. The vulnerabilities were reported by Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research, and Dr. Oliver Matula of ERNW Enno Rey Netzwerke via the German Federal Office for Information Security (BSI). B. Braun has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The eleven reported vulnerabilities are:

• Cross-site scripting - CVE-2020-25158,

• Open redirect - CVE-2020-25154,

• XPath injection - CVE-2020-25162,

• Session fixation - CVE-2020-25152,

• Use of one-way hash without a salt - CVE-2020-25164,

• Relative path traversal - CVE-2020-25150,

• Improper verification of cryptographic signature - CVE-2020-25166,

• Improper privilege management - CVE-2020-16238,

• Use of hard-coded credentials - CVE-2020-25168,

• Active debug code - CVE-2020-25156, and

• Improper access control - CVE-2020-25160

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to compromise the security of the Space or compactplus communication devices, allowing an attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution.

OnlineSuite Advisory

This advisory describes three vulnerabilities in the B. Braun OnlineSuite product. The vulnerabilities were reported by the same researchers mentioned in the first advisory. B. Braun has an update that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Relative path traversal - CVE-2020-25172,

• Uncontrolled search path element - CVE-2020-25174,

• Improper neutralization of formula elements in a CSV file - CVE-2020-25170

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to escalate privileges, download and upload arbitrary files, and perform remote code execution.

NOTE: Neither of the company advisories are listed on the US web site for B. Braun.

Bills Introduced – 10-21-20

Yesterday with just the Senate in session, there were 20 bills introduced. One of those bills will see additional coverage in this blog:

S 4833 A bill to amend title 32, United States Code, to authorize cybersecurity operations and missions to protect critical infrastructure by members of the National Guard in connection with training or other duty. Sen. Hassan, Margaret Wood [D-NH]

I will be watching this bill for language and definitions that would specifically cover industrial control system cybersecurity operations or operations at high-risk chemical facilities.

Wednesday, October 21, 2020

HR 8223 Introduced – Cyber Essentials Act

Last month Rep Katko (R,NY) introduced HR 8223, the Cyber Essentials Act. The bill would require CISA to publish and maintain guidelines for defending against common cybersecurity threats and cybersecurity risks.

The bill would amend 6 USC 653(b), adding a new function for the CISA Assistant Director for Cybersecurity. That new function would require the Assistant Director, in consultation with NIST, to “develop, publish, and update as necessary guidelines and processes for a national audience regarding usable evidence-based controls that have the most impact in defending against common cybersecurity threats and cybersecurity risks” {new §653(b)(4)}.

Section 2(b) of the bill provides that CISA would not be required to comply with the publish and comment requirements of the Paperwork Reduction Act in preparing this guidance.

There is no funding authorization in this bill.

Moving Forward

Katko and two of his cosponsors {Rep Langevin (D,RI) and Rep Rice (D,NY)} are members of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there is a chance (after the election) that this bill could be considered in Committee. The bill would almost certainly receive bipartisan support in Committee. The bill could be brought to the floor in the lame duck session under the suspension of the rules process, but it is unlikely that it would make it to the President’s desk this year.

Commentary

The two key cybersecurity terms used in this bill, ‘cybersecurity threat’ and ‘cybersecurity risk’ are defined in reference to two separate definitions of ‘information system’. The term ‘cybersecurity threat’ is based upon the more expansive, and control system inclusive, definition found in 6 USC 1501. The term ‘cybersecurity risk’ relies upon the IT restrictive definition from 44 USC 3508. Thus, the guidance could include information on protecting industrial control systems, building automation systems, and security control systems.

CISA does not currently list any cybersecurity guidance documents on its guidance document web page. There is nothing that would currently prevent CISA from publishing such documents. The relatively vague wording in this added requirement does not set a time limit or establish at what areas of the ‘national audience’ these guidance documents would be targeted. Along with the lack of specific funding for the process of developing such guidelines, this provides a wonderful example of Congress trying to appear to take action on cybersecurity without actually doing anything.

If this bill is not (as I suspect it will not) passed in this session, it will almost certainly be re-introduced in the 117th Congress.

Tuesday, October 20, 2020

2 Advisories and 2 Updates Published – 10-20-20

Today the CISA NCCIC-ICS published two control system security advisories for product from Hitachi ABB Power Grids, and Rockwell Automation, and updated an advisory for products from WECON. They also updated a medical device security advisory for products from Capsule Technologies.

Hitachi ABB Advisory

This advisory describes an improper authentication vulnerability in the Hitachi ABB XMC20 Multiservice-Multiplexer. The vulnerability is self-reported. Hitachi ABB has new firmware versions that mitigate the vulnerability.

NOTE: The Hitachi ABB advisory describes this as a third-party vulnerability in Libssh. They also report that exploit code is publicly available for the vulnerability. This vulnerability was reported by Peter Winter-Smith of NCC Group. An article on ZDNet.com notes that this is not the most commonly used ssh library, but we must assume that other vendor products may be affected by this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to remotely take control of the product.

Rockwell Advisory

This advisory describes three classic buffer overflow vulnerabilities in the Rockwell 1794-AENT Flex I/O Series B ethernet/IP adapters. The vulnerabilities were reported (herehere and here) by Jared Rittle of Cisco Talos. Rockwell provides generic workarounds for these vulnerabilities.

NOTE: The Cisco Talos reports contain proof-of-concept exploit code for the vulnerabilities.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to crash the device being accessed, resulting in a buffer overflow condition that may allow remote code execution.

NOTE: I briefly reported on these vulnerabilities last Saturday.

WECON Update

This update provides additional information on an advisory that was originally published on August 25, 2020. The new information includes:

• Adding ‘improper restriction of xml external entity reference’ as a new vulnerability,

• Adding ‘and obtain sensitive information’ to the risk evaluation, and

• Adding ‘Mehmet D. INCE @mdisec from T0.Group’ as a reporting researcher.

Capsule Technologies Update

This update provides additional information on an advisory that was originally published on July 14th, 2020. The new information includes updated affected version information and links to mitigation measures.

Sunday, October 18, 2020

Public ICS Disclosures – Week of 10-10-20 – Part II

We have four new vendor notifications from Schneider. We also have nine vendor updates from Schneider (6) and Siemens (3).

Schneider Advisories

Schneider published an advisory describing a credentials management vulnerability in their Modicon Ethernet Programmable Automation products. The vulnerability was reported by Yang Dong  of DingXiang Dongjian Security Lab. Schneider has new firmware versions that mitigate the vulnerabilities. There is no indication that Yang has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing an insufficiently random values vulnerability in their Smartlink, PowerTag, and Wiser series gateways. The vulnerability is self-reported. Schneider has new firmware versions that mitigate the vulnerability.

Schneider has published an advisory describing three vulnerabilities in their EcoStruxure™ and SmartStruxure™ Power Monitoring & SCADA Software. The vulnerabilities were reported by Michiel Evers and Niels Pirotte. Schneider has new products and upgrades that mitigate the vulnerabilities in some of the affected systems. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper access control (2) - CVE-2020-7545 and CVE-2020-7547, and

• Improper neutralization of input during web page generation - CVE-2020-7546

Schneider published an advisory for the Microsoft® Netlogon vulnerability. Schneider has not yet determined how the MS patch would affect their systems.

Schneider Updates

Schneider published an update for their Ripple20 advisory that was  originally published on June 23, 2020 and most recently updated on September 1st, 2020. The new information includes adding remediation guidance for:

• VW3A3310 Altivar 61/71 Modbus TCP,

• VW3A3310D Altivar 61/71 Ethernet daisy chain,

• VW3A3316 Altivar 61/71 Ethernet IP, and

• VW3A3320 Altivar 61/71 Ethernet IP RSTP

Schneider published an update for their Urgent/11 advisory that was  originally published on August 2nd, 2019 and most recently updated on June 9th, 2020. The new information includes providing updated remediations for:

• Modicon LMC078 Controller,

• Modicon M580 Ethernet communications Modules,

• Modicon M580 IEC 61850 - BMENOP0300 (C),

• Modicon MC80 Programmable Logic Controller,

• Modicon Quantum 140 NOP Communications Module,

• PacDrive 3 Eco/Pro/Pro2 Motion Controllers,

• Pro-face HMI -GP4000H/R/E Series, GP4100 Compact Series, LT4000M Modular Series

Schneider published an update for the advisory on their Modbus Serial Driver that was originally published on August 11th, 2020. The new information includes adding a remediation note for EcoStruxure Machine Expert Basic.

Schneider published an update for the advisory on their Modicon Controllers that was originally published on May 14th, 2019 and most recently updated on August 11th, 2020. The new information includes additional remediation steps for M580 and M340.

Schneider published an update for the advisory on their SCADAPack products that was originally published on September 8th, 2020. The new information includes correcting the fix version of RemoteConnect from V2.3.2 to V2.4.2 package.

Schneider published an update for the advisory on their Modicaon Controllers that was originally published on March 16th, 2017. The new information includes updates in the following sections (a fairly major rewrite):

• Products affected,

• Vulnerability details,

• Remediation, and

• Acknowledgement

NOTE: This advisory was one of three that were included in the ICS-CERT advisory, ICSA-17-089-02. NCCIC-ICS should probably update that advisory.

Siemens Updates

Siemens published an update for their Intel CPU advisory that was originally published on February 11th, 2020 and most recently updated on July 14th, 2020. The new information includes updated solutions for:

• SIMATIC IPC427E,

• SIMATIC IPC477E, and

• SIMATIC IPC477E Pro

Siemens published an update for their GNU/Linux advisory that was originally published in 2018 and most recently updated on September 8th, 2020. The new information includes adding:

• CVE-2019-19037,

• CVE-2020-10732,

• CVE-2020-14145,

• CVE-2020-14381,

• CVE-2020-1968,

• CVE-2020-24394,

• CVE-2020-25212, and

• CVE-2020-25220

Siemens published an update for their CodeMeter advisory that was originally published on September 8th, 2020. The new information includes:

• Adding PSS CAPE Protection Simulation Platform to the list of affected product,

• Adding solution by software update for SIMATIC WinCC OA,

• Adding solution by installation of latest CodeMeter Runtime version for SIMIT, SINEC INS, and PSS CAPE

NOTE: The original Siemens advisory was included in the initial list of covered vendors in ICSA-20-203-01. NCCIC-ICS would not be expected to specifically note this updated advisory since the link provide would go to the updated version on the Siemens web site.


Saturday, October 17, 2020

Public ICS Disclosures – Week of 10-10-20 – Part 1

This week we have seven vendor disclosures from Eaton, HMS, Bender, Sprecher, Bosch, Rockwell, and Carestream. There are also three vendor updates from ABB and Eaton (2). We also have an exploit that was published for products from BACnet Interoperability Test Services, Inc.

Eaton Advisory

Eaton published an advisory for the CodeMeter vulnerabilities in their Xsoft-CODESYS programming software.

NOTE: This is the first CodeMeter advisory that is specifically tied to the 4th party CODESYS implmenetation of the Wibu-Systems code that I have seen.

HMS Advisory

HMS published an advisory for the Ripple20 [corrected link, 10-18-20 0846 EDT] vulnerabilities, reporting that none of their products are affected.

NOTE: The advisory indicates that HMS employed a third-party research firm to help them assess the potential exposure to these vulnerabilities.

Bender Advisory

Bender published an advisory describing an improper authentication vulnerability in their COMTRAXX products. The vulnerability was reported by Maxim Rupp. Bender has a new software version that mitigates the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.

Sprecher Advisory

Sprecher published an advisory describing an input validation vulnerability in their SPRECON-E engineering tools. The vulnerability was reported by Gregor Bonney of CyberRange-e at Innogy. Sprecher has a firmware update that mitigates the vulnerability. There is no indication that Bonney has been provided an opportunity to verify the efficacy of the fix.

Bosch Advisory

Bosch published an advisory describing the Microsoft® remote desktop services vulnerability in their Rexroth industrial PCs.

Rockwell Advisory

Rockwell published an advisory describing five buffer overflow vulnerabilities in their 1794-AENT Flex I/O products. The vulnerabilities were reported (here, here and here) by Jared Rittle of Cisco Talos. Rockwell provides generic workarounds to mitigate these vulnerabilities.

NOTE: The Cisco Talos reports provide proof-of-concept code for the vulnerabilities.

Carestream Advisory

Carestream published an advisory [.PDF download link] describing the Microsoft Bad Neighbor vulnerability. Carestream is looking into the potential effects of this vulnerability on their products.

ABB Update

ABB published an update of their CodeMeter advisory for their Automation Builder products that was originally published on September 17th, 2020. ABB reports that CVE-2020-14517 has not been closed in the latest version of the Wibu-Systems CodeMeter (v.7.10a). That version has been integrated into the latest version of Automation Builder.

Eaton Updates

Eaton published an update for their Ripple20 [Corrected link, 10-18-20, 0851 EDT] advisory that was originally published on June 23rd, 2020 and most recently updated on July 24th, 2020. The new information includes updated mitigation information for Form 4D.

Eaton published an update for their Triangle MicroWorks DNP3 Outstation Libraries vulnerability advisory that was originally published on April 22nd, 2020 and most recently updated on August 6th, 2020. Eaton has updated their affected product list and mitigation measures.

NOTE: The NCCIC-ICS advisory was never updated to provide links to vendors reporting these library vulnerabilities in their products.

BACnet Exploit

Zero Science Lab published an exploit for a remote denial of service vulnerability in the BACnet Test Server from BACnet Interoperability Test Services, Inc. There is no report of a coordinated disclosure or CVE # for this vulnerability so it looks like it may be a 0-day exploit.

More to Come

Part II of this post will include Schneider and Siemens advisories and updates.

Thursday, October 15, 2020

2 Advisories and 1 Update Published – 10-15-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Advantech and updated one advisory for products from Wibu-Systems.

R-SeeNet Advisory

This advisory describes an SQL injection vulnerability in the Advantech  R-SeeNet monitoring application. The vulnerability was reported by rgod via the Zero Day Initiative (ZDI). Advantech has a new version that mitigates the vulnerability. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reported that a relatively low-skilled attacker could remotely exploit this vulnerability to allow remote attackers to retrieve sensitive information from the R-SeeNet database.

NOTE: NCCIC-ICS provides a link to the Advantech advisory for this vulnerability. This is the first time that I have seen an advisory published by Advantech (actually, Advantech Czech s.r.o.) and they also have a security notifications web page which apparently only covers their cellular routers and gateways. Interestingly, they make Common Vulnerability Reporting Framework (CVRF) v1.1 files on identified vulnerabilities available to their customers.

WebAccess Advisory

This advisory describes an external control of file name or path vulnerability in the Advantech WebAccess/SCADA software package. The vulnerability was reported by Sivathmican Sivakumaran via ZDI. Advantech has newer versions that mitigate the vulnerability. There is no indication that Sivakumaran has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to control or influence a path used in an operation on the filesystem and remotely execute code as an administrator.

NOTE: This vulnerability was not reported on the web site I discussed for the earlier vulnerability, nor was there an Advantech advisory available.

CodeMeter Update

This update provides additional information on an advisory that  was originally published on September 8th, 2020 and most recently updated on October 1st, 2020 (the advisory incorrectly refers back to an earlier version from September 17th). The new information includes links to two new vendor advisories from Schneider and WEIDMUELLER.

Wednesday, October 14, 2020

4 Updates Published – 10-13-20

Yesterday the CISA NCCIC-ICS updated four control system security advisories for products from Siemens.

SCALANCE Update

This update provides additional information on an advisory that was originally published on November 28th, 2017 and most recently updated on May 10th, 2018. The new information includes:

• Added RUGGEDCOM RM1224 to the list of affected products,

• Updated remediation link for SCALANCE W1750D,

• Updated CVSS scores, and

• Added CWE IDs.

Industrial Products Update #1

This update provides additional information on an advisory that was originally published on September 10th, 2019 and most recently updated on September 8th, 2020. The new information includes mitigation links for SIMATIC MV500 and SCALANCE W1750D.

Industrial Products Update #2

This update provides additional information on an advisory that was originally published on September 8th, 2020. The new information includes:

• Removing the following from the list of affected products:

SINUMERIK 840D sl (NCU730.3B),

SINUMERIK 828D (PPU.4 /PPU1740), and

SINUMERIK ONE (NCU1750 / NCU1760).

• Adding mitigation measures for:

SIMATIC IPC627E,

SIMATIC IPC647E,

SIMATIC IPC677E, and

SIMATIC IPC847E

SIMATIC Update

This update provides additional information on an advisory that was originally published on September 8th, 2020. The new information includes adding SIMATIC WinAC RTX (F) 2010 and SINUMERIK 840D sl to the list of affected products.

Other Siemens Updates

Yesterday Siemens published updates for three additional advisories. If, not covered by NCCIC-ICS before then (and I do not expect that they will) I will discuss them this weekend.

ISCD Updates 2 FAQ Responses – 10-13-20

Yesterday the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to two frequently asked questions (FAQs) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web page.

The following FAQ responses were revised:

FAQ #1770 How will the Cybersecurity and Infrastructure Security Agency (CISA) protect the data it collects? Can Chemical-terrorism Vulnerability Information (CVI) be released under the Freedom of Information Act (FOIA)?

FAQ #1784 Does a facility have to count theft/diversion chemicals of interest (COI) in transportation packaging towards the screening threshold quantity (STQ) if the COI is on or attached to motive power, to include an overnight stay?

NOTE: The links provided for the FAQs in this post were copied from the CFATS Knowledge Center but may not work when followed from your machine. This is an artifact of that web site. If the links do not take you to the referenced FAQ you will have to use the ‘Advanced Search’ function on the page to link to the FAQ or download the ‘All FAQs’ document at the bottom of the ‘Advanced Search’ page.

The following changes were made in the referenced responses:

#1770 Complete rewrite of FAQ and response, but no change in policy or procedure.

#1784 Provides links to regulation and Federal Register cites.

For reference purposes, here is what the language of FAQ 1770 and its response read before yesterday’s changes:

Question: Can Chemical-terrorism Vulnerability Information (CVI) be released under the Freedom of Information Act (FOIA)? 

Answer: No. Notwithstanding the Freedom of Information Act or FOIA (5 U.S.C. 552), the Privacy Act (5 U.S.C.552a), and other laws, in accordance with the Homeland Security Act as amended by the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, Public Law 113-254, and 6 C.F.R. § 27.400(g), records containing CVI are not available for public inspection or copying, and the Department does not release such records to persons without a need to know.

Further, as provided in 6 C.F.R. § 27.405, no law, regulation, or administrative action of a State or political subdivision thereof shall have any effect if such law or regulation conflicts with the Chemical Facility Anti-Terrorism Standards (CFATS). Requests for CVI under State or local FOIA or open records laws should be referred to the DHS National Protection and Programs Directorate (NPPD) Information Management and Disclosure Office, NPPD.FOIA@hq.dhs.gov.

If a record contains both information that may not be disclosed under Public Law 113-254 and information that may be disclosed, the latter information may be provided in response to a FOIA request, provided that the record is not otherwise exempt from disclosure under FOIA and that it is practical to redact the protected CVI from the requested record.

Note: Please refer to the “Safeguarding Information Designated as Chemical-terrorism Vulnerability Information (CVI) Handbook” for more information. The Handbook is available at https://www.dhs.gov/publication/safeguardinginformation-cvi-manual.

Tuesday, October 13, 2020

6 Advisories Published – 10-13-20

Today the CISA NCCIC-ICS published six control system security advisories for products from Siemens (2), Fieldcomm Group, Flexera, LCDS, and Moxa.

SIPORT Advisory

This advisory describes a use of client-side authentication vulnerability in the Siemens SIPORT MP access control system. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an authenticated attacker to impersonate other users of the system and perform (potentially administrative) actions on behalf of those users if the single sign-on feature (“Allow logon without password”) is enabled.

Desigo Advisory

This advisory describes three vulnerabilities in the Siemens Desigo Insight product. The vulnerabilities were reported by Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, and Massimiliano Brolli from TIM Security Red Team Research. Siemens has a ‘hotfix’ available to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• SQL injection - CVE-2020-15792,

• Improper restriction of rendered UI layers or frames - CVE-2020-15793, and

• Exposure of sensitive information to an unauthorized actor - CVE-2020-15794

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to retrieve or modify data and gain access to sensitive information.

Fieldcomm Group Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Fieldcom HARP-IP Developer kit. The vulnerability was reported by Reid Wightman from Dragos, Inc. Fieldcomm has a new version for one of the affected products that mitigates the vulnerability. There is no indication that Wightman has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  crash the device being accessed; a buffer overflow condition may allow remote code execution.

Flexera Advisory

This advisory describes an untrusted search path vulnerability in the Flexera InstallShield product. The vulnerability was reported by an anonymous researcher. Flexera will only provide mitigation measures and work arounds to registered owners.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow execution of a malicious DLL.

NOTE: This vulnerability was reported by Flexera in 2016, so why is NCCIC-ICS reporting this now? Both IBM (Tivoli Storage Manager) and Tenable (Nessus Network Monitor) have issued advisories covering this as a third-party vulnerability in 2016 and 2019 respectively. I suspect that there are other vendors that also use InstallShield that may be unaware of the vulnerability or may not have addressed it.

LCDS Advisory

This advisory describes an out-of-bounds read vulnerability in the LCDS LAquis SCADA. The vulnerability was reported by an anonymous researcher via the Zero Day Initiative. LCDS has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker to execute code under the privileges of the application.

Moxa Advisory

This advisory describes six vulnerabilities in the Moxa NPort IAW5000A-I/O Series integrated serial device server. The vulnerabilities were reported by Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar. Moxa has an updated firmware version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

Session fixation - CVE-2020-25198,

Improper privilege management - CVE-2020-25194,

Weak password requirements - CVE-2020-25153,

Cleartext transmission of sensitive information - CVE-2020-25190,

Improper restriction of excessive authorization attempts - CVE-2020-25196, and

Exposure of sensitive information to unauthorized actor - CVE-2020-25192

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to gain access to and hijack a session; allow an attacker with user privileges to perform requests with administrative privileges; allow the use of weak passwords; allow credentials of third-party services to be transmitted in cleartext; allow the use of brute force to bypass authentication on an SSH/Telnet session; or allow access to sensitive information without proper authorization.

NOTE: I briefly described these vulnerabilities back in August. Moxa has updated their advisory to list the CVE numbers assigned by NCCIC-ICS.

Siemens Updates

NCCIC-ICS also published four Siemens updates today. I will cover them in a post tomorrow.

Sunday, October 11, 2020

ISCD Updates Monthly Statistics – September 2020

Sometime last week (CISA does not date page updates any longer so I cannot pin point it more accurately than that) CISA’s Infrastructure Security Compliance Division (ISCD) updated the information on their CFATS Monthly Statistics. This page provides information on activities conducted by the Chemical Security Inspectors and statistics on facilities covered under the Chemical Facility Anti-Terrorism Standards (CFATS) program.

CSI Activities

The table below shows the activities conducted by the CFATS Chemical Security Inspectors for the last four months. Since resuming CSI activities in June, ISCD has maintained a higher operational rate for its inspectors than it saw before the COVID-19 pandemic.

Inspection Data

Jun-20

Jul-20

Aug-20

Sep-20

Authorization Inspections

1

10

24

31

Compliance Inspections

35

76

107

131

Compliance Assistance

198

162

115

140

Compliance Audit

27

8

9

23

Total Activities

234

275

255

325

Compliance Audits were a reduced-contact activity developed by ISCD in response to the COVID-19 pandemic. It was first reported in June 2020.

Facility Status

The table below shows the status of current facilities covered under the CFATS program. We continue to see a long-term trend in the gradual loss of facilities in the program. Some of this is due to changes in inventory of DHS chemicals of interest (COI), but some of the loss may be due to the closure of chemical facilities.

Facility Status

Jun-20

Jul-20

Aug-20

Sep-20

Tiered

150

139

124

108

Authorized

130

141

147

159

Approved

3061

3057

3056

3053

Total

3341

3337

3327

3320

The number of new facilities coming into the program (as reflected by the ‘Tiered’ data) is at the lowest level we have seen since the introduction of CSAT 2.0 in 2016. Some of this probably reflects the reduced number of industry events where the ISCD CFATS outreach program is able to present information about the CFATS program. More likely, however, is that the outreach program has reached a level of information saturation where there are a rapidly decreasing number of potentially covered facilities that are not aware of their reporting responsibilities under the CFATS program.

At some point ISCD is going to have to aggressively start looking for individual facilities that have willfully ignored their legal responsibility to report the presence of COI inventories. Such investigations could start with obtaining data on where COI are shipped to, or received from, by currently covered facilities. ISCD may need additional Congressional authorization to require that facilities provide this information to ISCD.

 
/* Use this with templates/template-twocol.html */