Saturday, December 31, 2022

Short Takes – 12-31-22

Recent discoveries indicate the moon's surface has massive saltwater oceans. NextGov.com article. Pull quote: ““Our research shows that if a biosphere is present in Enceladus’ ocean, signs of its existence could be picked up in plume material without the need to land or drill,” says Affholder, “but such a mission would require an orbiter to fly through the plume multiple times to collect lots of oceanic material.””

Artemis 1 to James Webb Space telescope pics: The biggest moments in space exploration in 2022. IndianExpress.com article. Pull quote: “2022 was no doubt a momentous year for humanity’s achievements in space exploration. The most significant was Nasa’s Artemis 1, which marks the first steps on a long road to take humans back to the moon almost 50 years after Apollo 17, the last crewed mission. This year also saw the state-of-the-art James Webb Space Telescope (JWST) open for business, offering scientists unprecedented views into the distant universe. While NASA added more feathers to its cap, Chinese space agency CNSA (China National Space Administration) deployed and completed its Tiangong (“Heavenly Palace”) space station, becoming only the third nation to build its own space station after the United States and the Soviet Union.”

Immigration, energy, abortion: Scalise announces first legislation for House GOP. TheHill.com article. Pull quote: “None of the legislative items appear likely to pass in a Democratic-controlled Senate and signal that Republicans will put a heavy focus on messaging as they control the chamber in a divided Washington for the next two years.”

Conservatives vying to derail Kevin McCarthy's speaker bid may not be able to stop him. But forcing multiple votes — the record is 133 — could still make for a historic fight. BusinessInsider.com article. A brief history lesson. Pull quote: “The current parlor game in Washington is trying to figure out how long — Minutes? Days? Weeks? — frustrated Republican hardliners like protest candidate Rep. Andy Biggs of Arizona, anti-McCarthy agitator Rep. Matt Gaetz of Florida, and the half-dozen, concession-seeking conservatives aligned with Rep. Scott Perry of Pennsylvania can keep the gavel out of his hand.”

After Substation Shooting, Federal Regulator Orders Review of Security Standards. GovExec.com article. Pull quote: “One, it reminds us that we need to take physical security into account just as we do cyber security,” FERC Chairman Richard Glick said last week at the commission meeting, cautioning that the motives for the Moore County attack and some similar incidents elsewhere remain murky and under investigation by local and state law enforcement.”

Review – Public ICS Disclosures – Week of 12-24-22

This week we have seven vendor disclosures from ABB, BD, Broadcom, Fuji Electric (2), Hitachi, and QNAP. Finally, we have a vendor update from Mitsubishi Electric.

Vendor Advisories

ABB Advisory - ABB published an advisory that describes two vulnerabilities in their NE843 Pulsar Plus Controller.

BD Advisory - BD published an advisory discussing an improper authentication vulnerability (with known exploit) in their Alaris products.

Broadcom Advisory - Broadcom published an advisory that discusses five Linux Kernel (ksmb module) vulnerabilities.

Fuji Advisory #1 - JP CERT published an advisory that describes three vulnerabilities in the Fuji V-Server.

Fuji Advisory #2 - JP CERT published an advisory that describes two vulnerabilities in the Fuji Electric V-SFT and TELLUS products.

Hitachi Advisory - Hitachi published an advisory that discusses 27 vulnerabilities in their Disk Array Systems.

QNAP Advisory - QNAP published an advisory that discusses that discusses one of the five recent Linux Kernel (ksmb module) vulnerabilities.

Vendor Updates

Mitsubishi Update - Mitsubishi published an update for their GENESIS64 advisory that was originally published on December 13th, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-347-01) for this information.

 

For more details about these disclosures, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-388 - subscription required.

Friday, December 30, 2022

Short Takes – 12-30-22

Santos reportedly used ‘Anthony Zabrovsky’ alias on charity GoFundMe page. TheHill.com article. Pull quote: “Santos claimed earlier this year that his maternal grandparents changed their last name from Zabrovsky to conceal their Jewish heritage. Records show that the newly elected representative used the alias “Anthony Zabrovsky” for a pet charity on GoFundMe, the web page for which no longer exists.”

Exotic clasts in Chang'e-5 samples indicate unexplored terrane on moon. NewsWise.com article. Whoda Thunk? Geology not seen in Apollo missions? Pull quote: “This study was the first to obtain exotic igneous lithologies from the 2 Gyr-aged basalt unit of the Moon. This information will provide ground truth for modeling the provenance of regolith at the young mare unit of the Moon. Moreover, the identification of unusual lunar rocks in the Chang'e-5 sample provides evidence that the lithological components and magmatic activities of the lunar crust are more diverse than previously thought.”

Conservatives' latest McCarthy ask: A broad Biden admin investigation. Politico.com article. Pull quote: “While the Republican leader and soon-to-be committee chairs have already lined up a laundry list of investigations that will largely command the House GOP’s agenda next year, it’s not enough for some McCarthy critics. Some of those opposing and on the fence about the Californian’s speakership bid want him to start a new panel, one that could direct probes against the entities they’ve castigated for years, including the FBI, the Justice Department, the IRS and Anthony Fauci.”

COVID Spreading Much Faster in China Than Health Officials Feared. TheDailyBeast.com article. Pull quote: “Zeng Guang, former chief epidemiologist at the Chinese Center for Disease Control and Prevention (CDC), has admitted that “we didn’t expect the first wave to be this vehement,” The Times reported Friday. After the Chinese government dropped key restrictions of its “zero-COVID” approach to managing the pandemic earlier this month, COVID infections rapidly spread to engulf over half of the population in many urban areas, Zeng said, before continuing to spread further. He added that around 17 million people in Beijing—or 80 percent of the capital’s population—might have been infected.”

Weaponized Aerial Drones and the Homeland: Increasing Domestic Terrorism Concerns. HSToday.us article. Pull quote: “While some drones may utilize only one capability during an attack and may work in tandem with another drone, these capabilities are not always mutually exclusive. A single weaponized drone could engage in ISR [intelligence, surveillance, and reconnaissance] and locate a target, engage that target with an IED, and also capture the attack on video, which is subsequently released on social media for terrorist propaganda purposes.”

Europe Could Ban Filipino Crews From Cargo Ships, Rocking an Already Messed-Up Industry. Jalopnik.com article. Pull quote: “Deutsche Welle reports the ban is being considered after an audit by the European Maritime Safety Agency. European regulators found that maritime education institutions in the Philippines didn’t meet standards set by the International Convention on Standards of Training, Certification and Watchkeeping for Seafarers. If the European Commission decides to take action, the European Union will no longer recognize competency certifications issued in the Philippines. Current certificates would be recognized until they expire, which could be at most five years from now.”

How Bad Is China’s Covid Outbreak? It’s a Scientific Guessing Game. NYTimes.com article. More nuanced look at the data problem. Pull quote: “As scientists sift through varied sources of shaky information, they are bracing for potentially catastrophic outcomes. Barring new precautionary steps, some worst-case estimates suggest that Covid could kill as many people in China in the next four months as it has Americans during the entire three-year pandemic.”

CSB Publishes Last Catchup Investigation Report for 2022

Yesterday, the Chemical Safety and Hazard Investigation Board (CSB) announced the publication of their final investigation report on the 2018 explosion and fires at the Husky Superior Refinery in Superior, Wisconsin. This was another incident at a fluid catalytic cracking (FCC) unit at a refinery that used hydrofluoric acid as the catalyst in such a unit. There was no HF release in this incident, but major precautionary civilian evacuations were conducted near the refinery because of the proximity of the HF storage tank to the incident.

The incident occurred during startup after a turnaround of the FCC unit. The initial explosions occurred in two vessels of the Gas Concentration unit. The report describes some anomalies noted just prior to the explosions but does not provide an explanation for the possible cause of the explosions (sometimes the root cause just cannot be determined). The main item of interest, however, is that debris ejected from the unit by the explosions punctured a very large asphalt storage tank. The hole in the tank was large enough and low enough to cause a stream of liquid asphalt (@ about 320 degrees F) to pour out over the top of the containment berm that surrounded the tank and spread throughout the FCC unit area. While not technically a flammable liquid (flash point in excess of 200 degrees C), the material was hot enough that it eventually ignited, spreading flames throughout the unit. The ignition source was not apparently determined either.

There are a number of interesting mini discussions about a wide variety of process safety topics throughout the description of the incident. For example, on page 49, there is a look at the internal discussions during the incident about putting water on the very hot asphalt to slow its spread and prevent fires.

The publication of this report completes the CSB’s 2022 schedule for catching up on the backlog of inspection reports. The most recent version of that schedule shows that the CSB intends to publish six additional investigation reports (dating back to 2019) in the first six months of 2023.

Thursday, December 29, 2022

Short Takes – 12-29-22

FRA: Safety Advisory 2022-02; Addressing Unintended Train Brake Release. FederalRegister.gov notice. Summary: “FRA is issuing Safety Advisory 2022-02 to make the rail industry aware of a recent issue encountered by a train crew that experienced an unintended brake release of a train's automatic air brakes while stopped at a signal, and to recommend steps addressing the unintended release of train air brakes.”

White House to Jim Jordan, James Comer: Sorry, but you have to restart your oversight requests. Politico.com article. Pull quote: “Sauber did not rule out satisfying the requests once the next Congress is sworn in. But his letter nevertheless represents the first volley in what is likely to be a contentious and potentially litigious two years between House Republicans and the Biden White House. More narrowly, it is an apparent effort to shield the administration from a hail of potential subpoenas in early January by describing them as an abuse of the normal process of congressional oversight.” Make headlines not legislation?

Congressional Inquiry into Alzheimer’s Drug Faults Its Maker and F.D.A. NYTimes.cm article. Pull quote: “The congressional report issued three recommendations the F.D.A. should adopt immediately, including proper documentation of its interactions with drug companies and clear protocols for when it can create joint presentations with them. The report also recommended that Biogen and other companies clearly communicate safety and efficacy concerns to the F.D.A. and consider the actual value of a drug when setting prices.”

They Called 911 for Help. Police and Prosecutors Used a New Junk Science to Decide They Were Liars. ProPublica.org article. Pull quote: “Junk science in the justice system is nothing new. But unvarnished correspondence about how prosecutors wield it is hard to come by. It can be next to impossible to see how law enforcement — in league with paid, self-styled “experts” — spreads new, often unproven methods. The system is at its most opaque when prosecutors know evidence is unfit for court but choose to game the rules, hoping judges and juries will believe it and vote to convict.”

Review - CFATS and the 118th Congress

There has been a lot of discussion in the press about the legislative agenda facing a narrowly divided 118th Congress. The normal slew of spending bills and authorization bills are going to be hard enough for a Republican (mostly) House to craft in a manner that will pass a Democratic (mostly) Senate, then there are the more controversial bills like the federal borrowing limit that will really test the Congress. But a small federal program, well familiar to readers of this blog, the Chemical Facility Anti-Terrorism Standards (CFATS) program, is set to expire this summer, unless it is reauthorized. This program faces the added challenge in that three committees oversee the fate of the program and take at least three (sometimes four or five) different outlooks on where the program should head in the next authorization period.

Short-Term Extension

It is unlikely that an extension bill will be crafted and wend its way through the legislative process before July 27th, 2023 (see Statutory Notes to 6 USC 621). We are likely to see a short-term extension of the CFATS program as part of some other passable bill. I would not be surprised to see such extension set to September 30th, 2023. At which point further extensions would be included in the DHS spending bill until some sort of deal is actually worked out.

 

For a more detailed discussion about the reauthorization of the CFATS program, including a look at what might be included in such a bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cfats-and-the-118th-congress - subscription required.


Review - CSB Publishes Quarterly Accidental Release Reporting Data – 12-28-22

Last week the Chemical Safety Board updated their published list of reported chemical release incidents. They added 29 new incidents that occurred since the previous version was published in July. One incident from the previous quarter was removed from the list. These are not incidents that the CSB is investigating, these are incidents that were reported to the CSB under their Accidental Release Reporting rules (40 CFR 1604). The press release announcing the publication of the updated list included comments on calls for increased attention to process safety management during winter periods.

 

For more details about the accident reporting data, including a description of an incident that was removed from the list and one that should have been reported, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-publishes-quarterly-accidental - subscription required.

Wednesday, December 28, 2022

Short Takes – 12-28-22

George Santos Confessed to Lying, But There’s a Lot More Out There. And It’s Really Weird. StatusKuo.Substack.com article. The 118th Congress is going to be interesting. Pull quote: “But we will not forget, in part because looming over all of this is a political question with very big implications: Will Santos be seated in the House come January, and if he is, what happens next? Given the bare four-seat majority that the GOP holds in that chamber and Kevin McCarthy’s mad scramble to secure every single vote he can in support of his Speakership, the answer could prove pivotal. So let’s examine those finances a bit more closely and then see what, if anything, that might change for Santos’s (and by extension, Kevin McCarthy’s and the GOP’s) political future.”

Most of Jackson, Miss., is without water after ‘invisible leak’. WashingtonPost.com article. Someone missed putting ‘yet again’ in the title. Pull quote: “Henifin said part of the problem is that the system doesn’t have the monitoring technology needed to find the leak. He said the city has experienced a lack of funding worse than many other cities of its size.”

The West Coast is being drenched by ‘atmospheric rivers.’ What are they? WashingtonPost.com article. Amid a drought, a flood. Pull quote: “Some improvement is likely Wednesday and Thursday across the West, but there are signs of another atmospheric river event on the way. The instigating low-pressure system, visible as a swirl on water vapor imagery, is currently sliding east to the south of the Alaskan Aleutians, and will tug ashore another ribbon of moisture as we head into the weekend.”

Review - TSA Publishes 30-day Pipeline CSR ICR Notice

Today the TSA published a 30-day information collection request (ICR) revision notice in the Federal Register (87 FR 79899-79900). The 60-day ICR notice was labeled as an ‘extension’ not a revision. This notice reports that there will be a revision of the voluntary “Pipeline Corporate Security Review (PCSR)” workbook that will reduce the burden associated with this ICR. Additionally, the name is being changed to “Pipeline Corporate Security Reviews (PCSR) and Security Directives” to reflect the changes that had been previously approved by the OMB’s Office of Information and Regulatory Affairs (OIRA).

Soliciting Comments

The TSA is soliciting comments on this ICR revision/extension. Comments may be submitted by email to www.reginfo.gov/​public/​do/​PRAMain. Comments should be submitted by January 27th, 2023.

For more details on the ICR notice, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsa-publishes-30-day-pipeline-csr - subscription required.


Tuesday, December 27, 2022

Short Takes – 12-27-22

3 Washington state electric substations vandalized. ABCNews.go.com article. Quickly fixed. Pull quote: “Meanwhile, just before noon, Puget Sound Energy reported vandalism that had happened at about 2:30 a.m. Sunday caused a power outage at one of its substations. The nearly 7,700 customers who lost power had it restored by 5 a.m., Puget Sound spokesperson Andrew Padula said. The company is investigating, along with authorities, and declined to comment further, Padula said.”

Tesla’s Full Self-Driving is blamed for eight-car pileup in California. TheVerge.com article. Are we going to see an article about every Musk car accident? Pull quote: “Each of these incidents seems to implicate Tesla’s advanced driver-assistance system (ADAS), Autopilot, or the automaker’s $15,000 Full Self-Driving (FSD) software package that performs many of the same tasks as Autopilot on local and residential streets. The first reported crash to allege that FSD was in operation happened last year in a Model Y vehicle.” Note: The Verge owns a significant link nerd.

Time is running short for McCarthy to lock up Speakership. TheHill.com article. And the conversations continue for another week. Pull quote: “Meanwhile, more than 100 current and incoming House Republicans have publicly said they support McCarthy for Speaker, and many are frustrated about the opposition. The uncertainty has already caused House Republicans to put off selecting committee chairs, delaying behind-the-scenes organizing activities like hiring staff for the next Congress.”

Hazardous Materials: Editorial Corrections and Clarifications. FederalRegister.gov final rule. Summary: “This final rule corrects editorial errors and improves the clarity of certain provisions in PHMSA's program and procedural regulations and in the Hazardous Materials Regulations. The intended effect of this rulemaking is to enhance accuracy and reduce misunderstandings of the regulations. The amendments contained in this final rule are non-substantive changes and do not impose new requirements.”

Review: Bev by Black & Decker Cocktail Maker. Wired.com article. Pull quote: “As for the cocktails, they’re hit and miss. They all veer toward being too sweet—some overwhelmingly so, no matter what strength you select—though in testing a half-dozen different pods, I surprisingly found the cosmopolitan to be the most approachable, followed by the old-fashioned. The Long Island iced tea wasn’t half bad, either, but memory of course gets a bit foggy from that point on.” Can’t wait for the ‘SMART’ version (sigh). 

Monday, December 26, 2022

Review - CISA Publishes 60-day Revision ICR for CSAT Collection Tools

CISA published a 60-day information collection request (ICR) notice in tomorrow’s (available on line on Saturday) Federal Register (87 FR 79337-79341) for “Request To Revise and Extend the Chemical Security Assessment Tool (CSAT) Information Collection Under the Paperwork Reduction Act”. The revisions are designed to update the burden estimate based upon the average submission data for the six covered information collections for that last three program years. There are no major program changes discussed in this ICR.

The covered information collections are:

Top Screen,

Security Vulnerability Assessment (SVA) & Alternative Security Program (ASP) Submitted in Lieu of an SVA,

Site Security Plan (SSP) & Alternative Security Program (ASP) Submitted in Lieu of an SSP,

CFATS Help Desk,

CSAT User Registration, and

Identification of Additional Facilities and Assets at Risk

Soliciting Comments

CISA is soliciting comments on this ICR revision. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # CISA-2022-0018). Comments should be submitted by February 27th, 2023.

For more details about the ICR revisions, including discussions about potential changes to the Site Security Plan data collection, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-publishes-60-day-revision-icr - subscription required.

Saturday, December 24, 2022

Short Takes – 12-24-22

Recent Attacks Underscore Need to Secure Utilities. TotalSecurityAdvisor.blr.com article. Scary pull quote: “When it comes to third-party vendors communicating with your server, you should “monitor it and determine whether it needs to stay on all the time. Lots of remote access can be shut off when it’s not being used. It’s a little bit more of a burden on IT staff but from a threat standpoint it is one of the better ways to go about this,” Walcutt continued.”

House Approves $1.65 Trillion Omnibus Spending Bill. WSJ.com article. Pull Quote: “The vote was largely along party lines, with only one Democrat, Rep. Alexandria Ocasio-Cortez of New York, voting against the bill. Rep. Rashida Tlaib of Michigan voted present. Both have aired concerns about sharp increases in military spending. Nine Republicans crossed party lines to back the measure.”

Putin, Isolated and Distrustful, Leans on Handful of Hard-Line Advisers. WSJ.com article. Lengthy article. Justifying quote: “This article is based on months of interviews with current and former Russian officials and people close to the Kremlin who broadly described an isolated leader who was unable, or unwilling, to believe that Ukraine would successfully resist. The president, these people said, spent 22 years constructing a system to flatter him by withholding or sugarcoating discouraging data points.”

In rural Georgia, an unlikely rebel against Trumpism. WashingtonPost.com article. Stereotypes frequently miss. Pull quote: “How Johnson became an unlikely part of an emerging voter revolt against Trumpism is not so much the story of some political strategy, or even the policies of the national Democratic Party, which has long been accused of ignoring places such as northwest Georgia.”

CSB Publishes Final Report on Kuraray America 2018 Ethylene Release and Fire

Earlier this week the Chemical Safety Board published their second accident report this week, describing the results of their investigation of the 2018 Ethylene release and fire at the Kuraray America manufacturing facility in Pasadena, TX. That fire injured 23 personnel. The CSB also provides a video overview of the incident.

You ever watch one of those cheap, poorly written detective movies where everyone figures out whodunnit in the first 20 minutes of the film, except the intrepid detective. That is what I felt when I watched the video. So many things done wrong, it is amazing that the incident did not occur earlier, or more catastrophically. The final event was the emergency venting of ethylene into an area where welding was going on.

Investigation Back Log

In my post on the earlier report this week, I reported that there were two remaining reports that the CSB had promised to complete by the end of the year and I noted: “It does not look like they will make it, given the holidays.” Well, I need to revise that now. With two reports in one week, there does not seem to be any reason to expect that the CSB could not publish the final report (Husky Energy Refinery – Superior, WI, 4/26/2018) in the upcoming short week. And I am happy to add that they did not appear to take any short cuts in completing this last week’s two reports.

Review - NCOE Cybersecurity for the Manufacturing Sector

Earlier this week the National Institute of Standards and Technology published a notice in the Federal Register (87 FR 78942-78944) inviting organizations to provide letters of interest describing products and technical expertise to support and demonstrate security platforms for the “Responding to and Recovering from a Cyberattack: Cybersecurity for the Manufacturing Sector” project. This project will be a collaborative effort with the National Cybersecurity Center of Excellence (NCCoE).

NCCoE expects that letters of interest seeking to be part of the project need to acknowledge the importance of and commit to provide:

“Access for all participants' project teams to component interfaces and the organization's experts necessary to make functional connections among security platform components.

“Support for development and demonstration of the Responding to and Recovering from a Cyberattack: Cybersecurity for the Manufacturing Sector project, which will be conducted in a manner consistent with the following standards and guidance: FIPS 200, FIPS 201, SP 800-82 and SP 800-53, the NIST Cybersecurity Framework, and the NIST Privacy Framework.

Interested parties can access the request for a letter of interest template by visiting the project website and completing the letter of interest webform. The project will begin moving forward as soon as enough completed and signed letters of interest have been returned to address all the necessary components and capabilities, but no earlier than January 23, 2023, so that is the effective deadline for submission.

 

For more details about the Notice, see my article in CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/ncoe-cybersecurity-for-the-manufacturing - subscription required.

CRS Reports – Congressional Oversight

This week the Congressional Research Service (CRS) updated their report: “Congressional Oversight Manual”. This Manual provides information for the incoming Congress Members and their staffs (mainly the staffs, since they do the real work) on the congressional responsibilities related to the oversight of the Executive Branch’s implementation of legislative requirements.

According to the introduction (pg 2):

“A fundamental objective of the Congressional Oversight Manual is to assist Members, committees, and legislative staff in carrying out this vital legislative function. It is intended to provide a broad overview of the procedural, legal, and practical issues that are likely to arise as Congress conducts oversight. This includes information on the mechanics of oversight practice based on House and Senate rules, common investigative techniques, and an inventory of statutes that impact oversight activity. In addition, the Manual discusses important legal principles that have developed around Congress’s oversight practice. The Manual is organized both to address specific questions and to support those seeking a general introduction to or broader understanding of oversight practice.”

There is an interesting discussion about identifying relevant committee jurisdiction for oversight. It notes that:

“The committee jurisdictional statements in House Rule X and Senate Rule XXV specify the subjects that fall within each committee’s jurisdiction. In general, the rules do not address specific departments, agencies, programs, or laws but are stated in broad subject terms. Therefore, multiple committees may exercise some jurisdiction— especially in regard to oversight—over the same departments and agencies or over different elements of the same agency activities.”

While this can sometimes lead to holes in oversight, it more frequently means that federal agencies have to keep multiple committees up to date on their operations with nearly duplicative reports.

Review – Public ICS Disclosures – Week of 12-17-22

This week we have an OpenSSL 3.0 disclosure from Palo Alto Networks. There are nine vendor disclosures from Dahua, Dell, DIGI, Hikvision, HPE, Microchip, Motorola Solutions, TandD, and Western Digital. Finally, there is a vendor update from Siemens.

OpenSSL. 3.0

Palo Alto Networks published an advisory discussing the OpenSSL 3.0 vulnerabilities.

Vendor Disclosures

Dahua Advisory - Dahua published an advisory that describes twelve vulnerabilities in a variety of Dahua products.

Dell Advisory - Dell published an advisory that describes nine vulnerabilities (includes 3 third-party vulnerabilities) in their Wyse Management Suite. 

DIGI Advisory - DIGI published an advisory that discusses the FragAttack vulnerabilities.

Hikvision Advisory - Hikvision published an advisory that describes an access control vulnerability in their wireless bridge products.

HPE Advisory #1 - HPE published an advisory that directory traversal vulnerability in their OfficeConnect 1820, and 1850 Switch Series.

HPE Advisory #2 - HPE published an advisory that describes a data injection vulnerability in their Superdome Flex and Superdome Flex 280 Servers.

Microchip Advisory - Microchip published an advisory that discusses the Blue's Clues vulnerabilities.

NOTE: Watch Blue’s Clues (sorry, I could not help myself), cute name and everything. It looks like this will be a major issue for Bluetooth enabled devices, particularly medical devices.

Motorola Advisory - Motorola published an advisory discussing the Fortinet buffer overflow vulnerability.

TandD Advisory - TandD published an end of support notice for products operating on Windows 7 and Windows 8 platforms.

Western Digital Advisory - Western Digital published an advisory describing an information disclosure vulnerability in their My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices.

Vendor Updates

Siemens Update - Siemens published an update for their SIPROTEC 5 Devices advisory that was originally published on December 13th, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-349-14) for the new information.

 

For more details about these disclosures, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-f5b - subscription required.

Friday, December 23, 2022

Short Takes – 12-23-22

Russia might send up rescue ship for ISS crew. Phys.org article. Pull quote: “There are currently seven people aboard the orbital outpost, but if MS-22 were deemed unfit, it would also mean the ISS has just one "lifeboat" capable of carrying four people, in case it needs to be evacuated.”

The permanent Microsoft DCOM hardening patch could shut down your ICS. IndustrialCybersecurityPulse.com article. Pull quote: “The DCOM hardening patch was designed to strengthen authentication between DCOM clients and servers. However, Microsoft has indicated some ICS products will be unable to establish a proper DCOM connection once the hardening patch takes effect. Rockwell Automation has since issued its own statement acknowledging its machines will be unable to establish a proper DCOM connection after installation of the Microsoft DCOM hardening patch.”

Why Many Cold Medicines Don’t Work to Relieve Congestion. WSJ.com article. Pull quote: “Phenylephrine is also the main ingredient in injections that increase blood pressure and in topical treatments to relieve hemorrhoids. As a decongestant, studies have found phenylephrine works when given via nasal spray.”

Egg Prices Surge to Records as Bird Flu Hits Poultry Flocks. WSJ.com article. Pull quote: “More than 40 million egg-laying chickens have died in the current outbreak, according to USDA data, with the total supply of egg-laying chickens falling more than 5%—to about 308 million—from the start of January to December.”

Impact of the Implementation of the Chemical Weapons Convention (CWC) on Legitimate Commercial Chemical, Biotechnology, and Pharmaceutical Activities Involving “Schedule 1” Chemicals (Including “Schedule 1” Chemicals Produced as Intermediates) During Calendar Year 2022. FederalRegister.gov request for information. Pull quote: “The Bureau of Industry and Security is seeking public comments on the impact that implementation of the Chemical Weapons Convention, through the Chemical Weapons Convention Implementation Act of 1998 and the Chemical Weapons Convention Regulations, has had on commercial activities involving “Schedule 1” chemicals during calendar year 2022. The purpose of this notice of inquiry is to collect information to assist BIS in its preparation of the annual certification to the Congress on whether the legitimate commercial activities and interests of chemical, biotechnology, and pharmaceutical firms are harmed by such implementation.”

Enhancing Surface Cyber Risk Management. FederalRegister.gov comment date extension. Pull quote: “The ANPRM solicited comment on specific questions, which would assist TSA in better understanding how the pipeline and rail sectors implement cyber risk management in their operations, support TSA in achieving objectives related to the enhancement of pipeline and rail cybersecurity, and help TSA develop a comprehensive and forward-looking approach to cybersecurity requirements. Through this document, TSA is extending the comment period by 15 calendar days to provide additional time for the public to provide comments.”

Incorporation by Reference; North American Standard Out-of-Service Criteria; Hazardous Materials Safety Permits. FederalRegister.gov final rule. Pull quote: “FMCSA amends its Hazardous Materials Safety Permits regulations to incorporate by reference the April 1, 2022, edition of the Commercial Vehicle Safety Alliance's (CVSA) handbook (the handbook) containing inspection procedures and Out-of-Service Criteria (OOSC) for the inspection of commercial motor vehicles used in the transportation of transuranic waste and highway route-controlled quantities of radioactive material. The OOSC provide enforcement personnel nationwide, including FMCSA's State partners, with uniform enforcement tolerances for these inspections. Through this rule, FMCSA incorporates by reference the April 1, 2022, edition of the handbook.”

Review – 4 Advisories Published – 12-22-22

Yesterday, CISA’s NCCIC-ICS published four control system security advisories for products from Omron, Mitsubishi Electric, Rockwell Automation, and Priva.

Omron Advisory - This advisory describes an out-of-bounds write vulnerability in the Omron CX-Programmer.

NOTE: I briefly discussed this vulnerability (and two others reported at the same time) on November 26th, 2022 and most recently updated that discussion on December 18th, 2022.

Mitsubishi Advisory - This advisory describes an improper resource shutdown or release vulnerability in the Mitsubishi MELSEC iQ-R, iQ-L Series and MELIPC Series CPU modules.

Rockwell Advisory - This advisory describes an improper access control vulnerability in the Rockwell Studio 5000 Logix Emulate product.

Priva Advisory - This advisory describes a use of password hash with insufficient computational effort vulnerability in the Priva TopControl Suite.

 

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-12-22-22 - subscription required.


Wednesday, December 21, 2022

Short Takes – 12-21-22

Senate trudges toward vote on $1.7T spending bill amid conservative pushback. Politico.com article. Snow storm as a political tool. Pull quote: “Senate Republican leadership is stopping short of projecting how many of their members will ultimately vote for the bill, which will need 10 GOP votes to pass. And across the Capitol, Republicans are expected to oppose it en masse after pushing for a short-term punt into early next year; House GOP leadership formally whipped against the spending bill on Tuesday.”

DHS Seeks Ideas for Automated Cyberattack Detectors in Annual Notice. NextGov.com article. Pull quote: “The Department of Homeland Security is seeking applications from small businesses to address seven “technology needs” as part of the department’s fiscal year 2023 Science and Technology Directorate Small Business Innovation Research—or SBIR—program, including for proposals to “develop a hardware-assisted real-time accurate detector of cyberattacks on networked and edge electronic devices.” See below for more information.

Small Business Innovation Research (SBIR) Program Solicitation. SAM.gov solicitation. Pull quote:

“The following are the topics for the FY23 S&T Directorate’s SBIR Program:

“DHS231-001 - Accurate and Real-time Hardware-assisted Detection of Cyber Attacks

“DHS231-002 - Air Cargo Manifest Analysis to Aid Screeners

“DHS231-003 - First Responder Digital Badges

“DHS231-004 - Machine Learning Based Integration of Alarm Resolution Sensors

“DHS231-005 - Mission Critical Services Server-to-Server Communication, voice communications, 3GPP-Standards

“DHS231-006 - Reduced Order Modeling of Critical Infrastructure Protect Surfaces”

Community voices concerns over American Chemical Society magazine. ChemistryWorld.com article.  Pull quote: “‘When we got word as an advisory board in 2021 that C&EN was moving from publications to the communications division, it set off a lot of red flags,’ says inorganic chemist Matt Hartings, who helped organise the open letter. ‘As an advisory board, we are particularly aware of the need for independence – if you’re doing reporting, your reporting needs to be trusted by the people you’re reporting for. And you don’t want to be reporting for the same person who does [public relations] for the society. So, there’s all sorts of conflicts of interest.’”

Protected Critical Infrastructure Information: Technical Amendments. FederalRegister.gov final rule. Summary: “This final rule amends the Protected Critical Infrastructure Information regulations to provide non-substantive technical, organizational, and conforming updates that are intended to improve the accuracy of these provisions. This action is editorial in nature and does not impose any new regulatory requirements on affected parties.”

Hazardous Materials: Enhanced Safety Provisions for Lithium Batteries Transported by Aircraft (FAA Reauthorization Act of 2018). FederalRegister.gov final rule. Summary: “This final rule revises the Hazardous Materials Regulations for lithium cells and batteries transported by aircraft and is consistent with the previously published Interim Final Rule, which responded to congressional mandates; prohibited the transport of lithium ion cells and batteries as cargo on passenger aircraft; required lithium ion cells and batteries to be shipped at not more than a 30 percent state of charge aboard cargo-only aircraft when not packed with or contained in equipment; and limited the use of alternative provisions for smaller lithium cell or battery shipments to one package per consignment.”

OMB Approves BIS Marine Toxin Final Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the DOC’s Bureau of Industry and Security (BIS) on “Implementation of Australia Group Decisions (November 2021 and March 2022 Virtual Implementation Meetings; July 2022 Plenary): Controls on Marine Toxins, Plant Pathogens and Biological Equipment”. The final rule was sent to OMB on December 8th, 2022.

According to the listing for this rulemaking in the 2022 Spring Unified Agenda:

“The Bureau of Industry and Security (BIS) has identified four naturally occurring, dual-use, biological toxins for evaluation as a potential emerging technology, consistent with the interagency process described in Section 1758 of the Export Control Reform Act of 2018 (ECRA) (50 U.S.C. 4801-4852), as codified under 50 U.S.C. 4817.  These toxins have the potential (through either accidental or deliberate release) to cause casualties in humans or animals, degrade equipment, or damage crops or the environment.  Furthermore, they are now capable of being more easily isolated and purified due to novel synthesis methods and equipment.  Consequently, the absence of export controls on these toxins could be exploited for biological weapons purposes.  To address this concern, BIS proposes to amend the Commerce Control List (CCL) by adding these toxins to Export Control Classification Number (ECCN) 1C351.  This rule requests public comments to ensure that the scope of these proposed controls will be effective and appropriate (with respect to their potential impact on legitimate commercial or scientific applications).”


Tuesday, December 20, 2022

Short Takes – 12-20-22

What made the cut in Congress’s 4,155-page, $1.7 trillion funding bill — and what didn’t. TheHill.com article. HR 2167 Substitute Language Pull quote: “Its expected passage in the days ahead will cap off months of stalemates in haggling over issues like levels of growth for defense and nondefense spending and decades-old riders.”

Lawmakers Boost Military, Domestic Spending in $1.65 Trillion Omnibus Bill. WSJ.com article. A slightly different look. Pull quote: ““Under no circumstances are we going to go over the shutdown deadline” in the Senate, said Sen. Mike Lee (R., Utah). He was among a small group of Senate Republicans who grumbled over the length of the bill and the short time they had been given to review it—though they said they wouldn’t try to delay its passage, beyond requesting amendment votes.”

Turbulent Honolulu flight illustrates phenomenon's risks. ABCNews.go.com article. Turbulence incidents increasing. Pull quote: “Clear-air turbulence happens most often in or near the high-altitude rivers of air called jet streams. The culprit is wind shear, which is when two huge air masses close to each other move at different speeds. If the difference in speed is big enough, the atmosphere can’t handle the strain, and it breaks into turbulent patterns like eddies in water.”

NASA Gets Unusually Close Glimpse of Black Hole Snacking on Star. JPL.NASA.gov article. ‘Close’ is relative - 250 million light-years. Pull quote: “The focus of the new study is an event called AT2021ehb, which took place in a galaxy with a central black hole about 10 million times the mass of our Sun (about the difference between a bowling ball and the Titanic). During this tidal disruption event, the side of the star nearest the black hole was pulled harder than the far side of the star, stretching the entire thing apart and leaving nothing but a long noodle of hot gas.”

Spaceflight Companies Promised to Do Science—So How’s It Going? Wired.com article. Near-space companies not so good. Pull quote: “Still, private spaceflights have gotten far more attention for their celebrity customers than their scientific payloads. Jordan Bimm, a University of Chicago space historian, worries that science is being sold as a token add-on in an experience that mainly sells prestige and spectacular panoramic views. “It gives a scientific aura to the mission and to the participants when they go back to Earth,” satisfying cultural expectations associating space with science, he says.”

CSB Releases TPC Group Port Neches Operations Facility Investigation Report

Yesterday, the Chemical Safety Board published their final report on the 2019 explosions and fire at the TPC Port Neches Operations Facility. The report outlines the actions that lead to the incident, starting 114 days before the first explosion. The report identifies and discusses four major safety problems. It goes on to outline the safety recommendations made by the Board as a result of the investigation, three for TPC and two for the American Chemistry Council.

This Report

The four safety issues identified in the report were:

• Dead leg identification and control,

• Process Hazard Analysis action item implementation,

• Control and prevention of popcorn polymer, and

• Remotely operated emergency isolation valve.

The root cause of the accident was not having a process in place to identify and rectify process dead legs, liquid filled pieces of process equipment without mixing or drainage. When a pipe was taken out of service a dead leg was created that was filled with process fluids containing butadiene, a flammable monomer. When that monomer began to polymerize in the dead leg, it formed a solid polymer (popcorn polymer) that had took up more volume than the process liquid. On the day of the incident, the pressure in the dead leg exceeded the pressure containment capability of the pipe. The resulting non-flammable ‘explosion’ damaged an adjacent butadiene line, releasing butadiene gas into the facility. Those fumes quickly reached an unidentified ignition source, resulting is multiple explosions and fires.

Investigation Back Log

Back in October, the CSB published a plan to closeout the backlog of 14 uncompleted investigations. This TPC investigation is one of three that were forecast to be completed by the end of the year. The other two are:

• Kuraray EVAL - Pasadena, TX 5/19/2018, and

• Husky Energy Refinery – Superior, WI, 4/26/2018

It does not look like they will make it, given the holidays. 

Review – 5 Advisories and 1 Update Published – 12-20-22

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Delta Industrial, Rockwell Automation (2), ARC, and Fuji Electric. They also updated an advisory for products from Prosys.

Advisories

Delta Advisory - This advisory describes a command injection vulnerability in the Delta DX-3021 4G Router.

Rockwell Advisory #1 - This advisory two vulnerabilities in the Rockwell MicroLogix—a line of programmable logic controllers (PLCs).

NOTE – I briefly discussed these vulnerabilities Sunday.

Rockwell Advisory #2 - This advisory describes an improper input validation vulnerability in the Rockwell GuardLogix and ControlLogix controllers.

NOTE – I briefly discussed these vulnerabilities Sunday.

ARC Advisory - This advisory describes two vulnerabilities in the ARC PcVue SCADA software. The vulnerabilities are self-reported.

NOTE: I briefly discussed one of the vulnerabilities on November 26th, 2022.

Fuji Advisor - This advisory describes two vulnerabilities in the Fuji Electric Tellus Lite V-Simulator.

Update

Prosys Update - This update provides additional information on an advisory that was originally published on December 15th, 2022.

 

For more details about these vulnerabilities, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-1-update-published-462 - subscription required. 

FAR Cyber Incident Reporting NPMR to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a Federal Acquisition Regulation notice of proposed rule making for “FAR Case 2021-017, Cyber Threat and Incident Reporting and Information Sharing”. According to the listing in the 2022 Spring Unified Agenda:

“DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to increase the sharing of information about cyber threats and incident information between the Government and certain providers, pursuant to OMB recommendations, in accordance with section 2 (b)-(c), and Department of Homeland Security recommendations, in accordance with section 8(b), of Executive Order 14028, Improving the Nation’s Cybersecurity. In addition, requires certain contractors to report cyber incidents to the Federal Government to facilitate effective cyber incident response and remediation, pursuant to Department of Homeland Security recommendations in accordance with sections 2(g)(i) of Executive Order 14028 [link added].”


FAR Cybersecurity for Unclassified Information NPRM to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a Federal Acquisition Regulation (FAR) notice of proposed regulation for “FAR Case 2021-019, Standardizing Cybersecurity Requirements for Unclassified Information Systems”. According to the entry in the 2022 Spring Unified Agenda listing for this rulemaking:

“DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to standardize common cybersecurity contractual requirements across Federal agencies for unclassified information systems, pursuant to Department of Homeland Security recommendations in accordance with sections 2(i) and 8(b) of Executive Order 14028 [link added], Improving the Nation’s Cybersecurity.”

Bills Introduced – 12-19-22

Yesterday, with just the Senate in session, there were ten bills introduced. Two of those bills may see additional coverage in this blog:

S 5294 A bill to amend the Comprehensive Environmental Response, Compensation, and Liability Act of 1980 to establish within the Environmental Protection Agency the Office of Mountains, Deserts, and Plains, and for other purposes. Kelly, Mark [Sen.-D-AZ]

S 5298 A bill to provide the Under Secretary for Science and Technology of the Department of Homeland Security with the authority to temporarily extend the duration of protections provided under the SAFETY Act, and for other purposes. Peters, Gary C. [Sen.-D-MI]

I will be watching S 5294 for language that would provide additional regulatory authority to the EPA.

I will be watching S 5298.

Industrial Ammonia Accident Kills One

Very well written article over on MSN.com about an industrial refrigeration accident in Norwood, MA yesterday that killed one contractor and severely injured another. Preliminary news from the article indicates that there might be an industrial control system issue that aggravated the situation, but we will have to wait for more information after the building is finally cleared of ammonia fumes and investigators are allowed into the building. There is no indication at this point that the Chemical Safety Board is planning on being part of the investigation, though this is certainly a reportable release of ammonia from the point of view of CSB regulations.

The industrial refrigeration system used at the facility uses ammonia as the cooling fluid, very common in large industrial applications, particularly food processing plants. In this case there is reportedly a 21,000-lb anhydrous ammonia storage tank at the facility that supplies the refrigeration system. Apparently during work unrelated to that system, an ammonia line was breached. It is not clear from the article (and may not be known yet) if it was a feed line (liquid ammonia) or a return line (gaseous ammonia), but liquid ammonia quickly turns to gas when released to the atmosphere, so either could be the source of ammonia in the building.

The potential control system issue is briefly mentioned in the article:

“"It's a 21,000 pound tank that was leaking, we have no idea how much leaked," the fire chief explained. "There's no valves, basically all electronics in the area stopped working very quickly so we didn't have any of the controls."”

Ammonia is very corrosive, so if the gas got into any of the control system components, you would expect that there could be damage to those components. I would have expected most of those components (beyond perhaps operator controls) to be in atmospherically tight cabinets, but I come from a chemical manufacturing background where such things are standard.

It sounds like the system refrigeration system employed at this facility did not have a high-flow cutoff valve on the ammonia tank. When you have a line break, the flow rate of ammonia out of the system is typically much higher than seen in normal use. A high-flow cutoff system senses that unusual flow and turns off the main outflow valve of the tank to minimize the potential loss from the system. It would seem that such a system would have mitigated the problem seen in Norwood. It does not seem if it would have prevented the death and injury (they apparently occurred at the initial point of release), but it would have allowed the building to be cleared much more quickly.

Finally, it sounds like the facility had a good evacuation program in place. With a massive leak such as this, to get all of the employees out of the building with minimal exposure is impressive.

It will be interesting to see what the investigation turns up. Unfortunately, without a CSB investigation, it is unlikely that the results will be widely shared.


Monday, December 19, 2022

Short Takes – 12-19-22

Here’s what we know, and what we don’t, about the damaged Soyuz spacecraft. ArsTechnica.com article. Exterior coolant leak on current Russian crew’s ride home. Pull quote: “Although there is no immediate danger to the seven astronauts on board the space station, this is one of the most serious incidents in the history of the orbiting laboratory, which has been continuously occupied for nearly a quarter of a century. Among the most pressing questions: Is the Soyuz MS-22 spacecraft safe to fly back to Earth? If not, when can a replacement, Soyuz MS-23, be flown up? And if there is an emergency, what do the three crew members slated to fly home on MS-22 do in the meantime?”

Putin’s War. NYTimes.com article. Pull quote: “But instead of that resounding victory, with tens of thousands of his troops killed and parts of his army in shambles after nearly 10 months of war, Mr. Putin faces something else entirely: his nation’s greatest human and strategic calamity since the collapse of the Soviet Union.”

Shelby's swan song: A spending spat within his party. Politico.com article. Pull quote: “That candor is a fitting reminder of what Shelby’s trying to pull off this week: a legacy-sealing agreement that could be the Hill’s last big spending deal for years. It’s the type of legislation that contains a lot of provisions Shelby would vote against if they stood alone — but as a whole, sums up his old-school approach.”

Boom! Watch an inflatable space station module explode on video. Space.com article. Pull quote: “The company conducted what it calls the "ultimate burst pressure test" (UBP) as it progresses along the long road to helping develop a private replacement to the International Space Station (ISS). The inflatable module, called Large Integrated Flexible Environment, or LIFE, will form part of the larger Orbital Reef space station led by Blue Origin. NASA seeks to replace the aging ISS in the 2030s with industry-led private stations, and Orbital Reef is among them.”

On The Money — McConnell touts elements of omnibus. TheHill.com article. Pull quote: “Democrats were eager to strike a deal with McConnell and Sen. Richard Shelby (Ala.), the ranking Republican on the Senate Appropriations Committee, before Republicans take control of the House in January.”

The Final Action by the January 6 Committee Is Its Most Consequential. StatusKuo.Substack.com opinion piece. An interesting analysis. Pull quote: “But this won’t happen right away. The handover of materials by the Committee to the Department will take time to review, and follow up work will be necessary, particularly where evidence in its current form is inadmissible due to the rules of evidence at trial, which are more stringent than those around Congressional testimony. We will have to be patient as the process grinds forward yet again, but make no mistake: The criminal referrals comprise a critical milestone in this long saga, and we are now entering a new stage of the case entirely.”

Review - HR 9420 Introduced – Cyber Education Task Force

Earlier this month, Rep Torres (D,NY) introduced HR 9420, the Cybersecurity Education Task Force Act of 2022. The bill would required the National Cybersecurity Director to establish a Cybersecurity Education Task Force. No funding is authorized by this proposed legislation.

Moving Forward

Torres is not a member of the House Education and Labor Committee to which this bill was referred for consideration. This means that there would not be enough influence to see the bill considered in Committee. This is especially true in the last days of the 117th Congress.

I do not see anything that would have engendered any organized opposition to the bill had it been considered. I suspect that the bill could have been adopted in Committee by a bipartisan support. It would likely have then been considered in the House under the suspension of the rules process.

Commentary

It is odd that CISA is included in the list of organizations to be represented on the Task Force and no other government agency is. While CISA is a major user of cybersecurity talent, and supervises federal agency cybersecurity implementation activities, it is not really an education focused agency. I would have expected to see the National Institute of Standards and Technology also represented on the Task Force as they have several educational development responsibilities related to cybersecurity.


For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/review-hr-9420-introduced - subscription required.


Sunday, December 18, 2022

Review – Public ICS Disclosures – Week of 12-10-22 – Part 2

For part 2 we have twelve additional vendor disclosures from Rockwell Automation (3), Schneider (2), Sick, VMware (4), Weidmueller, and Wiesemann & Theis. We also have seven vender updates from CODESYS (3), Dell, HPE, Mitsubishi, and Omron. Finally, we have one researcher report for products from VMware.

Vendor Disclosures

Rockwell Advisory #1 - Rockwell published an advisory that describes a denial of service vulnerability in their MicroLogix 1100 & 1400 Product Web Server application.

Rockwell Advisory #2 - Rockwell published an advisory that describes a cross-site scripting vulnerability in their MicroLogix 1100 & 1400 Web Server application.

Rockwell Advisory #3 - Rockwell published an advisory that describes a denial of service vulnerability in their GuardLogix and ControlLogix controllers.

Schneider Advisory #1 - Schneider published an advisory that describes an improper authorization vulnerability in their EcoStruxure Power Commission.

Schneider Advisory #2 - Schneider published an advisory that discusses an out-of-bounds write vulnerability in their Saitel DR RTU (Remote Terminal Unit).

Sick Advisory - Sick published an advisory that describes four vulnerabilities in the n SICK RFU6xx RADIO FREQUEN. SENSOR 1.

VMware Advisory #1 - VMware published an advisory that describes two vulnerabilities in their vRealize Network Insight (vRNI) product.

VMware Advisory #2 - VMware published an advisory that describes two vulnerabilities in their Workspace ONE Access and Identity Manager.

VMware Advisory #3 - VMware published an advisory that describes a heap-based write vulnerability in their ESXi, Workstation, and Fusion products.

VMware Advisory #4 - VMware published an advisory that describes two vulnerabilities in their vRealize Operations product.

Weidmueller Advisory - CERT-VDE published an advisory that describes a JavaScript injection vulnerability in the Weidmueller XML editing system SCHEMA ST4 online help.

Wiesemann & Theis Advisory - CERT-VDE published an advisory that describes an authentication bypass by spoofing vulnerability in multiple Wiesemann & Theis products.

Vendor Updates

CODESYS Update #1 - CODESYS published an update for their Control V3 communication server advisory that was originally published on November 22nd, 2022.

CODESYS Update #2 - CODESYS published an update for their V3 boot application advisory that was originally published on November 23rd, 2022.

CODESYS Update #3 - CODESYS published an update for their V2 password transport advisory that was originally published on June 9th, 2022 and most recently updated on October 6th, 2022.

CODESYS Update #4 - CODESYS published an update for their V2 and V3 runtime systems advisory that was originally published on March 22nd, 2018 and most recently updated on July 9th, 2018.

Dell Update - Dell published an update for their Log4Shell advisory.

HPE Update - HPE published an update for their NonStop advisory that was originally published on July 18th, 2022.

Mitsubishi Update - Mitsubishi published an update for their GENESIS64TM and MC Works64 advisory that that was originally published on July 19th, 2022 and most recently updated on September 30th, 2022.

Omron Update - JP-CERT published an update for their OMRON CX-Programmer advisory that was originally published on November 25th, 2022.

Researcher Report

VMware Report - CISCO Talos published a report describing a denial-of-service vulnerability in the VMware vCenter Server Content Library.

 

For additional information on these disclosures, including links to third-party advisories, exploits, and brief summary of changes made, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-720 - subscription required.


CISA Advisory Update Numbering Error – 12-15-22

This morning, while doing my weekly files maintenance, I was saving copies of CISA advisories to my archives, and I was notified by the computer that two of the files already existed:

• ICSA-20-014-03: Siemens SCALANCE X Switches (Update B)

• ICSA-22-132-05Siemens Industrial PCs and CNC devices (Update A)

Sure enough. The ‘Update B’ for ICSA-20-014-03 was published on June 16th, 2022. The ‘Update A’ for ICSA-22-132-05 was published on July 15th, 2022.

This is only an ‘issue’ for gadfly’s and info junkies like myself, since only the latest version of the advisory is available on the ICS-CERT Advisories web site, but it will be interesting to see if NCCIC-ICS ‘corrects’ the update labeling if/when they next update these advisories.

 
/* Use this with templates/template-twocol.html */