Tuesday, May 31, 2022

Review – 3 Advisories and 4 Updates Published – 5-31-22

Today, CISA’s NCCIC-ICS published one control system security advisory for products from Fuji Electric, and two medical device security advisories for products from BD. They also updated four control system security advisories for products from Mitsubishi.

Fuji Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Fuji Alpha7 PC Loader servo drive system.

NOTE: See the report by Heinzl about the timeline of the disclosure. The fix is long-time coming….

BD Advisory #1 - This advisory describes an insufficient session expiration vulnerability in the BD Synapsys microbiology informatics software platform.

BD Advisory #2 - This advisory describes a not using password aging vulnerability in BD Pyxis automated medication dispensing systems.

NOTE: This CVE (CVE-2022-22766) was previously reported in BD Pyxis products by NCCIC-ICS (ICSMA-22-062-01) as a ‘use of hard-coded credentials vulnerability’ which coincides with the description in today’s advisory if not the name of the vulnerability in Section 3.2.1.

Mitsubishi Update #1 - This update provides additional information on an advisory that was originally published on May 19th, 2022.

Mitsubishi Update #2 - This update provides additional information on an advisory that was originally published on March 31st, 2022.

Mitsubishi Update #3 - This update provides additional information on an advisory that was originally published on September 1st, 2020 and most recently updated on September 9th, 2021.

Mitsubishi Update #4 - This update provides additional information on an advisory that was originally published on July 30th, 2020 and most recently updated on January 5th, 2021.

 

For more details on these advisories and updates, including discussions about BD advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-4-updates-published - subscription.

Sunday, May 29, 2022

Review - Public ICS Disclosures – Week of 5-21-22 – Part 2

For Part 2 this week, we have four vendor updates from HP, Mitsubishi (2), and VMware. We also have researcher reports for vulnerabilities for products from Intel (3), VMware, and Boeing.

HP Update - HP published an update for their PC BIOS advisory that was originally published on February 28th, 2022 and most recently updated on April 8th, 2022.

Mitsubishi Update #1 - Mitsubishi published an update for their Factory Automation advisory that was  originally published on July 30th, 2020 and most recently updated on December 17th, 2020.

Mitsubishi Update #2 - Mitsubishi published an update for their TCP Protocol Stack advisory that was originally published on September 1st, 2020 and most recently updated on August 24th, 2021.

VMware Update - VMware published an update for their Workspace One Access advisory that was originally published on March 18th, 2022.

Intel Reports - BINARLY published three reports (including proof of concept code) of vulnerabilities in the SMM Driver On Intel Platforms.

VMware Report - Pentera Labs published a report of an incorrect default permission vulnerability (including proof-of-concept code) in the VMware vCenter Server.

Boeing Report - Okay, this one is a bit odd, but Pen Test Partners published a blog post about their recent physical investigation of a recently decommissioned (with all equipment intact) Boeing 747.

 

For more details on these disclosures, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-3a1 - subscription required.

Saturday, May 28, 2022

Review – Public ICS Disclosures – Week of 5-21-22 – Part 1

This has been a fairly busy disclosure week which will require two parts to list completely. For Part 1 we have seventeen vendor disclosures from ABB, CONTEC, Fuji Electric (2), HPE (2), Meinberg, Open Automation, QNAP (2), VMware (2), Western Digital, Xylem (3), and Yokogawa.

ABB Advisory - ABB published an advisory that describes two vulnerabilities in their e-Design product.

CONTEC Advisory - JP CERT published an advisory that describes an OS command injection vulnerability (with publicly available exploit) in the CONTEC SolarView Compact.

Fuji Advisory #1 - JP CERT published an advisory that describes five vulnerabilities in the Fuji V-SFT product.

Fuji Advisory #2 - JP CERT published an advisory that describes three vulnerabilities in the Fuji V-SFT, V-Server and V-Server Lite products.

HPE Advisory #1 - HPE published an advisory that describes an escalation of privilege vulnerability in their Version Control Repository Manager Installer.

HPE Advisory #2 - HPE published an advisory that discusses the Psychic Signatures vulnerability in their IceWall Products.

NOTE: This is going to be an interesting third-party vulnerability. The researcher report is well worth reading.

Meinberg Advisory - Meinberg published an advisory that discusses two vulnerabilities (one with publicly available exploit) in their LANTIME Firmware.

Open Automation Advisory - Incibe CERT published an advisory that describes eight vulnerabilities in the Open Automation Software OAS Platform.

QNAP Advisory #1 - QNAP published an advisory that describes a cross-site request forgery vulnerability in their NAS running Proxy Server.

QNAP Advisory #2 - QNAP published an advisory that discusses four OpenSSL vulnerabilities.

VMware Advisory #1 - VMware published an advisory that describes an XML external entity vulnerability (with publicly available exploit) in their VMware Tools for Windows product.

VMware advisory #2 - VMware published an advisory that describes two vulnerabilities in their VMware Workspace ONE Access, Identity Manager and vRealize Automation products.

Western Digital Advisory - Western Digital published an advisory that discusses an improper authentication vulnerability in their My Cloud OS 5 Firmware.

Xylem Advisory #1 - Xylem published an advisory that discusses the CISA Emergency Directive (ED) 22-03.

Xylem Advisory #2 - Xylem published an advisory that discusses an improper verification of cryptographic signature vulnerability in their Xylem Edge Gateway.

Xylem Advisory #3 - Xylem published an advisory that describes an improper authentication vulnerability in the Sensus Analytics Login Service of their Utility Portal application.

Yokogawa Advisory - Yokogawa published an advisory that describes a violation of secure design principles vulnerability in their CAMS for HIS products.

 

For more details on these disclosures, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-017 - subscription required.

Bills Introduced – 5-27-22

Yesterday, with the House meeting in pro forma session, there were 38 bills introduced. One of those bills will receive additional coverage in this blog:

HR 7900 To authorize appropriations for fiscal year 2023 for military activities of the Department of Defense and for military construction, to prescribe military personnel strengths for such fiscal year, and for other purposes. Rep. Smith, Adam [D-WA-9]

This bill will be the National Defense Authorization Act for FY 2023. Actually, as introduced, this bill is the skeleton for that Act. The House Armed Services Committee and its various subcommittees will be holding hearings over the next couple of weeks to markup that skeleton, producing the final bill that will further amended by the full House.

Friday, May 27, 2022

Review - CISA Announces Cybersecurity Advisory Committee Meeting – 6-22-22

Today CISA published a meeting notice in the Federal Register (87 FR 32178-32179) for an in person meeting of the Cybersecurity Advisory Committee (CSAC) on June 22nd, 2022 in Austin, TX. Portions of the meeting will be closed to the public.  The public portions of the meeting will include:

• Period for public comment,

• Updates from six subcommittees, and

• Discussion and voting on recommendations from CSAC to CISA

NOTE: Items to be voted upon should be available on the Committee’s website prior to the meeting.

CISA is soliciting public participation in next month's meeting. Personnel wishing to attend, either in person or telephonically, need to register by June 20th, 2022. Personnel wishing to make personal presentations at the meeting need to register that fact as well. Written comments to be considered by the CSAC can be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # CISA-2022-0002).

 

For more details about the upcoming meeting, as well as a brief look at the previous meeting, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-announces-cybersecurity-advisory - subscription required.

Bills Introduced – 5-26-22

Yesterday, with just the Senate in session in Washington, there were 47 bills introduced. One of those bills will receive additional attention in this blog:

S 4336 A bill to require the Secretary of Health and Human Services, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, to annually review and as appropriate update guidance for industry and Food and Drug Administration staff on medical device cybersecurity, and for other purposes. Sen. Rosen, Jacky [D-NV] 

Thursday, May 26, 2022

Review - S 4248 Introduced – PROTECT Our Great Lakes Act

Last week, Sen Peters (D,MI) introduced S 4248, the Preventing Releases of Toxic Environmental Contaminants Threatening (PROTECT) Our Great Lakes Act. This bill addresses four separate policy issues:

• PHMSA employee pay rates,

• Oil spill response plans,

• Pipeline monitoring and control, and

• Acceptance of gifts supporting oil spill impact research

Peters is a member of the Senate Commerce, Science and Transportation Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered in Committee. Other than covering too many disparate issues in a single bill, I see nothing in this bill that would engender any organized opposition. Unfortunately, there would be some opposition for provisions in individual sections of the bill that, when combined, could prevent this bill from being approved in Committee.

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4248-introduced - subscription required.

Review – 2 Advisories Published – 5-26-22

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Horner Automation and Keysight Technologies.

Horner Advisory - This advisory describes four vulnerabilities in the Horner Cscape PLC management software.

Keysight Advisory - This advisory describes two vulnerabilities in the Keysight N6854A Geolocation server and N6841A RF Sensor software.

 

For more details on these advisories, including a new ‘Down the Rabbit Hole’ feature looking at the cybersecurity support on the Keysight website, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-5-26-22 - subscription required.

 

HSGA Committee Amends and Adopts Cybersecurity and Chemical Safety Bills

Yesterday, the Senate Homeland Security and Governmental Affairs Committee, held a business meeting where they considered 16 pieces of legislation including:

• S 4000, Intragovernmental Cybersecurity Information Sharing Act, and

• S 4166, Technological Hazards Preparedness and Training Act of 2022,

S 4000 would require DHS to enter into information sharing agreements with the House and Senate on cybersecurity issues. Substitute language was offered and adopted by a voice vote.

S 4166 would require FEMA to “maintain the capacity to provide States and local governments with technological hazards and related emerging [CBRN] threats technical assistance, training, and other preparedness programming to build community resilience to technological hazards and related emerging threats. Two amendments were offered for this bill. The Committee adopted the amendment offered by Sen Paul (R,TN) by a voice vote. A second amendment offered by Sen Scott (R,SC) was rejected by a voice vote..

Unfortunately, the HSGAC does not make amendments publicly available. So, we will not be able to tell what changes have been made to either bill until the Committee publishes their report.

BIS Publishes Cybersecurity Controls Final Rule

Today, the DOC’s Bureau of Industry and Security (BIS) published a final rule in the Federal Register (87 FR 31948-31954) “Information Security Controls: Cybersecurity Items”. The Interim Final rule for this rulemaking was published on October 21st, 2021. Changes were made to the regulation based upon public comments filed on the interim final rule.

The BIS made the following, relatively minor, changes:

Added a new end-use restriction {§740.17(f)},

Revised the definition of ‘Government end user’ in §740.22(b)(4),

Revised the format of restrictions of §740.22(c),

Amended the scope of §740.22(c)(2)(i),

Amended the definition of “Less sensitive government end users” and “More sensitive government end users” in §740.22, and

Restores 5D001.e

 

This final rule is effective today.

Wednesday, May 25, 2022

Hearing Tomorrow to Look at TSA

The Transportation and Maritime Security Subcommittee of the House Homeland Security Committee announced this morning that they would be holding a hearing tomorrow on “The State of the Transportation Security Administration”. The sole witness is Administrator David Pekoske. While this is not billed as a cybersecurity hearing, I would be very surprised if both the testimony and the questions from the Subcommittee members do not touch on the pipeline and surface transportation cybersecurity directives that have been issued by the TSA over the last year.

 

Bills Introduced – 5-24-22

Yesterday with the Senate in Washington and the House meeting in pro forma session, there were 36 bills introduced. One of those bills will receive additional coverage in this blog:

S 4298 A bill to require the Transportation Security Administration to standardize the enrollment process for individuals applying for multiple TSA security threat assessment programs, including the TWIC, HAZMAT Endorsement, and TSA PreCheck programs of the Administration, and for other purposes. Sen. Wicker, Roger F. [R-MS]

This sounds like it may be similar to HR 6571 that was introduced in February. No action has taken place on that bill.

Tuesday, May 24, 2022

HR7814 Introduced – Medical Security Grants

Last week, Rep Escobar (D,TX) introduced HR 7814, the Health Care Providers Safety Act of 2022. The bill would amend the Public Health Service Act by adding a new §399V-7, Grants to Health Care Providers to Enhance Security. It would allow HHS to “award grants to health care providers to pay for security services and otherwise enhance the physical and cyber security of their facilities, personnel, and patients to ensure safe access.”

Subsection (b) of the new section would allow “video surveillance camera systems, data privacy enhancements, and structural improvements” as allowable uses of the grant funds. There are no specific cybersecurity uses listed as allowable uses of the funds.

There is no funding authorized in the bill for the grant program.

While Escobar is not a member of the House Energy and Commerce Committee to which this bill was assigned for consideration, a number of the 92 cosponsors {including Rep Schakowsky (D,IL), Rep Tonko (D,IL), and Rep Clarke (D,NY) for example} are members. This means that there should be sufficient influence to see the bill considered in Committee.

I do not see anything in the bill that would draw organized opposition, but the fact is that there are no Republican cosponsors of the bill, so I suspect that the opposition sees some abortion support aspect to the bill. Perhaps they fear that the funds would go to support abortion clinic security under the current administration. That is what happens when some people see words like “safe access” in legislation. Perhaps if the security grants came from DHS there would not be the same code word reading.

Review – 2 Advisories, 2 Updates Published – 5-24-22

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Matrikon and Rockwell Automation. They also updated two advisories for products from Mitsubishi.

NOTE: Mitsubishi published two additional advisory updates today. Unless NCCIC-ICS covers those Thursday, I will report on them this weekend.

Matrikon Advisory - This advisory describes an improper access control vulnerability in the Matrikon OPC Server.

NOTE: This vulnerability does not appear to be related to the Pwn2Own Miami 2022 competition that resulted in findings of multiple vulnerabilities in the OPC UA Server category, but it seems odd that so many different OPC UA Server vulnerabilities are being reported in so close a time proximity.

Rockwell Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Rockwell Logix Controllers.

Mitsubishi Update #1 - This update provides additional information on an advisory that originally published on July 30th, 2020 and most recently updated on February 8th, 2022.

Mitsubishi Update #2 - This update provides additional information on an advisory that was originally published on February 18th, 2021 and most recently updated on February 8th, 2022.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-2-updates-published - subscription required.

Monday, May 23, 2022

Review - TSOB Ratifies Four TSA Security Directives

DHS’s Office of Strategy, Policy, and Plans published a notice in today’s Federal Register (87 FR 31093-31094) announcing that the Transportation Security Oversight Board (TSOB) has ratified Transportation Security Administration (TSA) Security Directive 1580-21-01, Security Directive 1582-21-01, Security Directive Pipeline-2021-01A, and Security Directive Pipeline-2021-02B. This allows these directives to continue in force until the respective published expiration dates.

For more details about the TSOB and the Security Directives, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsob-ratifies-four-tsa-security-directives - subscription required.

Committee Hearings – Week of 5-22-22

This week with the Senate in Washington, and the House holding remote hearings, there is a moderately heavy hearing schedule. There are still a few FY 2023 budge hearings be held, but we only have about a month left before the House should start publishing FY 2023 spending bills (the Senate may or may not be publishing any). There is one markup hearing that includes cybersecurity bills.

FY 2023 Budget

Tuesday - Member Day – House – Homeland Security Subcommittee – Appropriations,

Wednesday – Member Day – House – THUD Subcommittee – Appropriations,

Wednesday – FEMA – House – Homeland Security Subcommittee – Appropriations,

‘Member Day’ hearings allow members of the House that are not members of the Appropriations Committee to testify before the Subcommittee on the appropriations process.

Markup Hearing

On Wednesday the Senate Homeland Security and Governmental Affairs Committee will be holding a business meeting that will include consideration of 15 bills and one naming bills. Bills of interest here include:

• S 4000, Intragovernmental Cybersecurity Information Sharing Act, and

• S 4166, Technological Hazards Preparedness and Training Act of 2022


CSB Publishes Chemical Accident Reporting Data – 5-20-22

On Friday, the Chemical Safety Board (CSB), published a notice on their website that they were making available to the public their “Accidental Release Database” (.DOCX download link). It provides listings of incidents reported to the CSB under the requirements of 40 CFR 1604.3. According to the notice:

“The CSB’s Accidental Release Database includes all accidental release incidents reported since March 23, 2020, the effective date of the Accidental Release Reporting regulation. The database is revised quarterly and may include revisions or corrections to events previously reported and events that were not timely reported to the CSB in accordance with the regulation.”

The .DOCX spread sheet appears to be current through May 13th, 2022 and contains 153 reported incidents. It notes that 24 of the incidents resulted in a (at least 1) fatality, 90 resulted in at least 1 serious injury, and 62 resulted in substantial property damage. Each entry includes a listing of:

• The incident date,

• Company name,

• City,

• State, and

• Listing of the incident reporting criteria noted above.

The incident reports made to CSB are required to include more information than provided in this database, but this is the information that the CSB is choosing to make public. 

Saturday, May 21, 2022

GAO Report – Protecting DOD’s Controlled Unclassified Information Systems

On Thursday, the Government Accountability Office published a report on “Defense Cybersecurity Protecting Controlled Unclassified Information Systems” (GAO-22-105259). The report looks at how well the DOD is doing in their efforts to get their CUI programs into regulatory compliance. The short answer, according to the GAO’s look at four basic program measures, it that DOD still has a way to go.

The four measures used by GAO to evaluate the DOD’s implementation process are:

• Categorize DOD CUI systems accurately (80 to 89% complete),

• Implement Cybersecurity Maturity Model Certification’s 110 security requirements (70 to 79% complete),

• Implement 266 security controls for moderate confidentiality impact systems (80 to 89% complete), and

• Authorize system to operate on DOD network (90% plus complete).

While this GAO Report just looks at the DOD, the CUI program under 32 CFR 2002 applies to all branches of the Federal Government and their contractors (and in some instances regulated entities). Some common federal information protection schemes that fall under the CUI protection regulations include (but are certainly not limited to):

• Chemical-terrorism Vulnerability Information (CVI),

• Critical Energy Infrastructure Information (CEII),

• Protected Critical Infrastructure Information (PCII), and

• Sensitive Security Information (SSI)

It would be interesting to see how other federal agencies (DOE and DHS for example) fair in their implementation of the §2002 regulations.

OMB Approves BIS Information Security Controls Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a ‘Final Rule’ for DOC’s Bureau of Industry and Security (BIS) for “Information Security Controls: Cybersecurity Items”. When this was sent to OIRA back in March, the submission was billed as a “Delay of Effective Date”, but there is no mention of that in yesterday’s announcement. It could be the final rule for the interim rule that was published last October. Well, we will see what is going on when this is published in the Federal Register, probably this coming week.

Review – Public ICS Disclosures – Week of 5-14-22

This week we have sixteen vendor disclosures from Aruba, Fujitsu, HPE (6), Moxa, OPC Foundation, Pepperl+Fuchs, Philips, Sick, Siemens, Tanzu (2). Then we have two vendor updates from Aruba and Johnson Controls. Finally, we have four researcher reports for products from Schneider, Spectrum Brands, Tesla, and Galleon.

Aruba Advisory - Aruba published an advisory that discusses five vulnerabilities in multiple Aruba products.

Fujitsu Advisory - JP-CERT published an advisory that discusses two vulnerabilities in the Fujitsu IPCOM products.

HPE Advisory #1 - HPE published an advisory that discusses two vulnerabilities in their Edgeline Servers.

HPE Advisory #2 - HPE published an advisory that discusses an information disclosure vulnerability in their Moonshot/Edgeline Servers.

HPE Advisory #3 - HPE published an advisory that discusses an information disclosure vulnerability in their Moonshot/Edgeline Servers.

HPE Advisory #4 - HPE published an advisory that discusses six vulnerabilities in their HP-UX OpenSSL products.

HPE Advisory #5 - HPE published an advisory that describes three vulnerabilities in their OneView product.

HPE Advisory #6 - HPE published an advisory that discusses 14 vulnerabilities in their ProLiant Gen10 and Gen10 Plus Servers.

Moxa Advisory - Moxa published an advisory that discusses a heap-based buffer overflow vulnerability in the Linux IPsec ESP transformation code.

OPC Advisory - The OPC Foundation published an advisory that describes an uncontrolled resource exhaustion vulnerability in their UA Legacy Java Stack.

NOTE: I believe that this vulnerability was one of the ones reported in the Pwn2Own Miami 2022 competition that I briefly mentioned last week.

Pepperl+Fuchs Advisory - CERT-VDE published an advisory that discusses six Bluetooth vulnerabilities in the Pepperl+Fuchs RSM-EX01B product family.

Philips Advisory - Philips published an advisory that discusses the CISA Emergency Directive 22-03 for the mitigation of VMware vulnerabilities.

Sick Advisory - Sick published an advisory that describes a deserialization of untrusted data vulnerability in their Flexi Soft Designer & Safety Designer.

Siemens Report - Siemens published a report discussing a published exploit of their S7-1200 4.5 that was published back in March.

Tanzu Advisory #1 - Tanzu published an advisory that describes an integer overflow vulnerability in their Spring Security product.

Tanzu Advisory #2 - Tanzu published an advisory that describes an authorization bypass vulnerability in their Spring Security product.

Aruba Update - Aruba published an update for their TLStorm 2.0 advisory that was originally published on May 3rd, 2022.

Johnson Controls Update - Johnson Controls published an update for their SpringShell advisory that was that was originally published on April 19th, 2022 and most recently updated on April 29th, 2022.

Schneider Report #1 - Kaspersky published a report that describes an authentication bypass by spoofing vulnerability in the Schneider Electric Modicon M340/M580 controllers.

Schneider Report #2 - Kaspersky published a report that describes an information leak from project files vulnerability in the Schneider Electric EcoStruxure Control Expert / Process Expert, and SCADAPack RemoteConnect products.

Spectrum Brands Report - NCC Group published a report describing a BLE relay vulnerability in the Kwikset/Weiser Kevo smart locks.

Tesla Report - NCC Group published a report describing a BLE relay vulnerability in the Tesla automobile.

Galleon Report - Pen Test Partners published a report describing a command injection vulnerability in the Galleon Systems’ GPS NTP time server.


For more details on these disclosures, including links to researcher reports and third-party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-581 - subscription required.


Friday, May 20, 2022

Review - HR 7174 Amended and Adopted in Committee – Cyber Forensics Institute

Yesterday, the House Homeland Security Committee held a business meeting where five DHS related bills were considered, including HR 7174, the National Computer Forensics Institute Reauthorization Act of 2022. Rep Slotkin (D,MI) proposed substitute language and Rep Thompson (D,MS) introduced a brief amendment to that language. The Committee adopted both by voice votes.

The amendments approved by the Committee yesterday do not make any substantive changes to the bill. The bill would still reauthorize the Secret Service’s NCFI through 2032 and expand the scope of responsibilities for the Institute. It would make several changes to 6 USC 383, including adding a list of definitions of key terms. The bill does not include authorization for expenditures to support these changes.

The broad bipartisan support for the bill in Committee essentially ensures that the bill will be considered under the suspension of the rules process. Once the Committee publishes their report on the bill, the bill will be cleared for consideration by the full House.

HR 7777 Adopted in Homeland Security Committee – ICS Training

Yesterday, the House Homeland Security Committee held a business meeting where five DHS related bills were considered, including HR 7777, the Industrial Control Systems Cybersecurity Training Act. Without amendment, the bill was ordered favorably reported by a voice vote. Once the Committee report is published, this bill will be cleared for consideration by the Whole House. The bill will almost certainly be taken up there under the suspension of the rules process. It will likely pass with strong bipartisan support.

This bill would amend the Homeland Security Act of 2002 to establish within CISA an Industrial Control Systems Cybersecurity Training Initiative. No new funding is authorized in the bill. This, in effect, authorizes the long-standing ICS training program is CISA.

Bills Introduced – 5-19-22

Yesterday, with both the House and Senate in Washington, there were 67 bills introduced. One of those bills will receive additional coverage in this blog:

S 4268 A bill to amend the Public Health Service Act to authorize grants to health care providers to enhance the physical and cyber security of their facilities, personnel, and patients. Sen. Gillibrand, Kirsten E. [D-NY] 

This may be a companion bill to HR 7814 that was introduced yesterday.

Thursday, May 19, 2022

HR 6824 Reported in House – Cybersecurity Competition

While the House passed HR 6824 earlier this week, the Committee Report for the bill was not publicly available until after the vote was held. The Report makes the point (pgs 3-4) that the ‘President’s Cup Cybersecurity Competition’ that would be authorized by the bill have actually been held since 2019. The report concludes that discussion by saying:

“H.R. 6824 will specifically authorize the President’s Cup Cybersecurity Competition in law in a manner that provides CISA with needed authority to award cash prizes to the winners to reward their demonstrated cybersecurity skills, which can act as an important retention tool. Codifying the President’s Cup will demonstrate that both Congress is committed to addressing Federal cybersecurity recruitment and retention challenges and values the Federal cyber workforce.”

That is, perhaps, a more positive spin than I normally put on congressional efforts to authorize activities already being undertaken by the Executive Branch. In this case, I will give them credit for the effort and intent publicly stated, since they did give CISA credit for the origination of the program.

Review - 1 Advisory Published – 5-19-22

Today, CISA’s NCCIC-ICS published one control system security advisory for products from Mitsubishi. CISA also published their analysis of the risk and vulnerability assessments (RVA) that they conducted in FY 2021.

Mitsubishi Advisory

This advisory describes two improper input validation vulnerabilities in the Mitsubishi MELSEC iQ-F series CPU modules.

FY 2021 RVA Analysis

CISA reports in their analysis document that they had conducted 112 risk and vulnerability assessments (RVA) of multiple stakeholders across various sectors in FY 2021. This document utilizes data collected during those RVAs to produce a sample attack path that a cyber threat actor could take to compromise an organization, using the weaknesses identified in FY21 RVAs.

CISA also provides an infographic that delineates the top three techniques CISA was able to use to effect each of the eleven tactics of a sample attack path developed by CISA that is based loosely on the ATT&CK methods.

For more details on the advisory and the CISA RVA analysis, including my commentary on the efficacy of the recommendations made by CISA, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-5-19-22 - subscription required.

House Science Committee Approves HR 7569 – Cybersecurity Education

On Tuesday, the House Science, Space, and Technology Committee held a business meeting where they considered HR 7569, the Energy Cybersecurity University Leadership Act of 2022. The bill was adopted without amendment by a voice vote. The legislation would require DOE to establish an “Energy Cybersecurity University Leadership Program”.

Once the Committee’s report is prepared, the bill will be cleared for consideration by the full House. The bill would probably be considered under the suspension of the rules process. That means limited debate, no floor amendments, and would require a super majority for passage.

Review – HR7777 Introduced – ICS Training

Earlier this week, Rep Swalwell (D,CA) introduced HR 7777, the Industrial Control Systems Cybersecurity Training Act. The bill would amend the Homeland Security Act of 2002, adding a new §2220D that would establish within CISA an Industrial Control Systems Cybersecurity Training Initiative. No new funding is authorized in the bill.

Moving Forward

Swalwell is a member of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see this bill considered in Committee. I see nothing in this bill that would engender any organized opposition. I suspect that the bill would receive substantial bipartisan support in Committee. The bill would likely pass in the House after consideration under the suspension of the rules process.

Commentary

This bill is another example of Congress authorizing a long-standing program run by the executive branch and taking credit for the idea. The description of the Industrial Control Systems Cybersecurity Training Initiative provided in §2220D(b) could have been taken from the CISA ICS training web page that I described (subscription required) on Tuesday. And the fact that the in person classes are held at DOE’s Idaho National Laboratory certainly fits with the requirements of §2220D(b)(2)(A).

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr7777-introduced - subscription required.

Bills Introduced – 5-18-22

Yesterday, with both the House and Senate in session, there were 46 bills introduced. Two of those bills will receive additional coverage in this blog:

HR 7814 To amend the Public Health Service Act to authorize grants to health care providers to enhance the physical and cyber security of their facilities, personnel, and patients. Rep. Escobar, Veronica [D-TX-16]

S 4248 A bill to enhance pipeline safety and oil spill preparedness and response, particularly in the Great Lakes Basin, and for other purposes. Sen. Peters, Gary C. [D-MI] 

Wednesday, May 18, 2022

Review - CG Announces 2-Day NCTSAC Meeting – 6-8-22

Today, the Coast Guard published a meeting notice in the Federal Register (87 FR 30242-30243) for a two-day meeting of the National Chemical Transportation Safety Advisory Committee (NCTSAC) on June 8th and 9th, 2022 in Arlington, VA. The in-person and virtual combined meeting will be public. The NCTSAC will consider the progress on Task Statement 21-01, Recommendations on Loading Limits of Gas Carriers and USCG Supplement to International Hazardous Zone Requirements and the introduction of three new potential tasks for the Committee’s consideration.

There will be limited seating for in-person attendance at the meeting. Personnel wishing to register for in-person attendance or virtual attendance should contact Lieutenant Ethan T. Beard (Ethan.T.Beard@uscg.mil). COVID-19 safety protocols (including mask wear) will be in effect at the meeting site.

Public comment on the agenda items is being solicited. Written comments can be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2022-0254.

For more details on LNG Tasking and the listing of the new taskings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cg-announces-2-day-nctsac-meeting - subscription required.

HR 6868 Passed in House – Cybersecurity Education

On Monday, the House took up HR 6868, the Cybersecurity Grants for Schools Act of 2022. The bill was considered under the suspension of the rules process. After very limited debate, with no opposition voiced, a recorded vote was demanded. That vote took place yesterday and the bill passed with a strongly bipartisan vote of 383 to30.

The bill would expand the scope of the existing the Cybersecurity Education and Training Assistance Program (6 USC 665f) by allowing CETAP grants to go to States, local governments, institutions of higher education, nonprofit organizations, and other non-Federal entities for the purposes of funding cybersecurity education or training programs.

Again, this is another bill that will probably not be considered in the Senate due to time constraints.

HR 6873 Passed in House – Bombing Prevention

On Monday the House took up HR 6873, the Bombing Prevention Act of 2022. The bill was considered under the suspension of the rules process. After limited debate and no adverse comments on the bill from the floor, a recorded vote was demanded. That vote took place yesterday and the bill passed with a strong, bipartisan vote of 388 to 26.

The bill would authorize the current Office for Bombing Prevention (OBP) and outlines the technical assistance services DHS would provide to counter terrorist explosive threats and attacks.

Multiple attempts have been made over the years to authorize the OBP. Generally, those bills have passed in the House, but were not taken up in the Senate. As with many bills, this bill is not of high enough priority to take up the legislative time necessary for consideration under regular order in the Senate. Since the program is already in existence and regularly funded in DHS spending bills, there is little incentive to consider the bill under the unanimous consent process. This version of the bill is likely to face the same fate.

Tuesday, May 17, 2022

S 2520 Passed in House – State and Local Cybersecurity

Yesterday the House took up S 2520, the State and Local Government Cybersecurity Act of 2021. The bill was considered under the suspension of the rules process. After limited debate yesterday, a recorded vote was demanded. That vote took place today and the bill passed by a strong bipartisan vote of 404 to 14.

The bill would add additional responsibilities for CISA with regards to State and local governments. It would also provide additional coordination responsibilities for CISA’s National Cybersecurity and Communications Integration Center (NCCIC). No additional funding is authorized to support these additional responsibilities.

Since no changes were made in the bill during consideration in the House, the bill now heads to President Biden for signature.

Review – 1 Advisory Published – 5-17-22

Today, CISA’s NCCIC-ICS published one control system security advisory for products from Circutor. I also take a brief look at the different types of cybersecurity training provided by CISA.

Circutor Advisory - This advisory describes a stack-based buffer overflow in the Circutor COMPACT DC-S BASIC smart metering concentrator.

CISA ICS Cybersecurity Training

Since I mentioned CISA’s control system security training in passing this morning, I thought I might take a little bit of a more detailed look at the training programs here.

On the CISA ICS landing page, CISA provides a link to their training resources. They provide two different types of training; web-based training and instructor led training.

 

For more details about the advisory and the CISA training programs, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-5-17-22 - subscription required.

S 658 Signed by President – Cybersecurity Consortia

Last week, President Biden signed S 658, the National Cybersecurity Preparedness Consortium Act of 2021. Yesterday, the bill was assigned the Public Law number PL 117-122 (it will be months before the PL is actually printed).

As I have noted earlier the provisions in this bill allowing NCCIC to work with a consortium of non-profit entities to “develop, update, and deliver cybersecurity training in support of homeland security” are simply acknowledgement of DHS activities that have been taking place for a number of years. Since there is no new funding authorized in this bill, Congress again takes credit for work already done by DHS without spending any money or political capital.

HR 5658 Passed in House – Cybersecurity Roles

Yesterday, the House took up introduced HR 5658, the DHS Roles and Responsibilities in Cyber Space Act. The bill was considered under the House suspension of the rules process. After minimal debate, with no dissenting voices heard, a recorded vote on the bill was requested. Later in the day, the House voted 313 to 105 to pass the bill. The bill is unlikely to be considered in the Senate.

The bill would require DHS to prepare “a report on the roles and responsibilities of the Department and its components relating to cyber incident response.” It would also specifically add CISA cross-sector responsibilities for enhancing control system cybersecurity.

Since there was no opposition voiced to the bill in yesterday’s debate, it is hard to see what caused the substantial bipartisan (32 Democrats and 73 Republicans voted Nay) opposition to this bill.

Once again, this is a relatively unimportant bill. It would be hard to justify the legislative time necessary to take up this bill in the Senate under regular order. The significant opposition to the bill seen in the House would mean that there would be little chance of this bill being passed under the unanimous consent process. Thus, the only way this bill could make it to the President’s desk would be for the language to be added to some other bill that was headed to the White House.

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5658-introduced - subscription required.

HR 6825 Passed in House – Nonprofit Grant Program

Yesterday the House took up HR 6825, the Nonprofit Security Grant Program Improvement Act of 2022. The bill was considered under the suspension of the rules process. After limited debate, with no dissenting voices heard, the bill passed by a vote of 288 to 129. The bill is unlikely to be considered in the Senate.

The bill would amend the current Nonprofit Security Grant Program (6 USC 609a) to specifically includes the risk of “extremist attacks other than terrorist attacks and threats’ in the coverage of the grant program. It also increases the out-year funding from $75 million per year to $500 million per year. The program currently supports cybersecurity measures.

It is not clear why there was so much Republican opposition to the bill since no one spoke out during the debate. I suspect, however, that this was a combination of the increased cost and the addition of the ‘extremist attacks’ language. With Chairman Thompson (D,MS) specifically citing the racially motivated attack this weekend in Buffalo in yesterday’s debate (pg H4984), there may have been some supporters of the ‘replacement theory’ that felt some of their base might be targeted by the new funding.

This bill is unlikely to be considered in the Senate. It is not ‘important’ enough to take up the legislative time required for regular order and the significant Republican opposition would make consideration under the unanimous consent process impossible. The only hope for moving forward would be to include the language in a larger, must pass, or sure to pass, bill.

For more details about the provisions of the bill, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6825-introduced - subscription required.

OMB Approves BIS Marine Toxics Request for Comments

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a request for comments from the DOC’s Bureau of Industry and Security for “Commerce Control List: Proposed Controls on Certain Marine Toxins”.  According to the Fall 2021 Unified Agenda listing for this rulemaking:

“The Bureau of Industry and Security (BIS) is publishing this final rule to amend certain Export Control Classification Numbers (ECCNs) on the Commerce Control List (CCL) to reflect recent updates to the Australia Group (AG) Common Control Lists.”

As I noted when this RFC was sent to OIRA, it looks like BIS is going to continue to use these RFC’s as a substitute for ‘notices of proposed rulemaking’ where they are authorized to use a direct rulemaking process. It drags out changes to the CCL (making for some export/import coordination issues), but it should help BIS avoid some of the problems they have been having with their direct rulemaking process.

Bills Introduced – 5-16-22

Yesterday, with both the House and Senate in session, there were 33 bills introduced. One of those bills will receive future coverage in this blog:

HR 7777 To amend the Homeland Security Act of 2002 to authorize the Cybersecurity and Infrastructure Security Agency to establish an industrial control systems cybersecurity training initiative, and for other purposes. Rep. Swalwell, Eric [D-CA-15] 

I am hoping that the ‘training initiative’ is something more than just authorizing the current CISA ICS training programs, but I am not holding my breath.

Monday, May 16, 2022

HR 6824 Passed in House – Cybersecurity Competition

Today, the House took up HR 6824, the President’s Cup Cybersecurity Competition Act. The bill was considered under the suspension of the rules process. There was limited debate of the bill this afternoon and a recorded vote was requested. This evening, the House voted 386 to 31 to pass the bill.

The way this bill is set up we could see multiple Department wide competitions or a single government wide competition. Or not competitions, if CISA decides it is just not worth the effort. In any case, if this bill passes, Congress gets credit for doing something for cybersecurity, even if no one holds a single competition.

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6824-introduced - subscription required.

Committee Hearings – Week of 5-15-22

This week, with both the House and Senate in session, there is a very active hearing schedule on both sides of the Hill. FY 2023 budget hearing continue, including Member Day hearings (where congresscritters not on the Appropriations Committee have a chance to plead for their favorite projects). We also have two cybersecurity markups, a health and education cybersecurity hearing, and an emergency response hearing.

Cybersecurity Markups

On Tuesday, the House Science, Space, and Technology Committee will hold a business meeting to consider four pieces of legislation. It will include:

HR 7569, the Energy Cybersecurity University Leadership Act of 2022.

On Wednesday, the Senate Small Business Committee, will hold a business meeting to consider five bills. It will include:

S 1687, the Small Business Cyber Training Act of 2021

NOTE: I have not followed this bill closely because it deals with cybersecurity training for employees of Small Business Development Center, not small businesses.

Cybersecurity Hearings

On Wednesday the Senate Health, Education, Labor and Pensions Committee will hold a hearing on “Cybersecurity in the Health and Education Sectors”. The witness list includes:

• Denise Anderson, Health Information Sharing and Analysis Center,

• Joshua Corman, I Am the Cavalry,

• Amy McLaughlin, Consortium of School Networking, and

• Helen Norris, Chapman University

I do not think that there will be any in depth discussion about medical device cybersecurity issues, but I could be wrong with Corman as a witness.

Emergency Response

On Tuesday, the Emergency Preparedness, Response, and Recovery Subcommittee of the House Homeland Security Committee will hold a hearing on “Creating a More Resilient Nation: Stakeholder Perspectives”. The witness list will include:

• Chris Currie, GAO,

• Orlando Rolón, Chief of Police, City of Orlando, and

• George Dunlap, Mecklenburg County Commission

I do not think that there will be any specific discussion about response planning for chemical incidents.

On the Floor

There are five cybersecurity bills scheduled for consideration in the House this week under the suspension of the rules process. They include:

HR 5658 – DHS Roles and Responsibilities in Cyber Space Act, as amended,

HR 6824 – President’s Cup Cybersecurity Competition Act, as amended,

HR 6825 – Nonprofit Security Grant Program Improvement Act of 2022, as amended,

HR 6868 – Cybersecurity Grants for Schools Act of 2022, as amended, and

S 2520 – State and Local Government Cybersecurity Act of 2021,

Review - S 4166 Introduced – Technological Hazards

Earlier this month, Sen Portman (R,OH) introduced S 4166, the Technological Hazards Preparedness and Training Act of 2022. The bill would require FEMA to “maintain the capacity to provide States and local governments with technological hazards and related emerging threats technical assistance, training, and other preparedness programming to build community resilience to technological hazards and related emerging threats.” The bill would authorize funding at $20 million per year through FY 2024.

Moving Forward

Portman is the Ranking Member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. Portman certainly has the influence to see this bill considered in Committee. I would like to think that this bill would receive bipartisan support in Committee, though I am not sure that that will be the case. I suspect that there will be some Republican opposition because this sounds like it could be an environmental justice bill and would certainly be labeled as such if it had been introduced by Sen Warren or Sen Markey, both Democrats from Massachusetts.

In any case, even if this bill were moved through the Committee, it would never make it to the floor of the Senate. The bill is too small and ‘unimportant’ to be considered under regular order and there are a number of Senators that could be expected to object if offered under the unanimous consent process.

Commentary

When this bill was introduced, I noted the odd phrasing used to describe the program: “support communities containing technological hazards and emerging threats” and I commented that: “on the off chance the ‘technological hazards and emerging threats’ include cybersecurity issues, I will be watching this bill when it is published.” Boy was I off-base. Instead of cyber issues this is about CBRN hazard planning and it is about time that someone put the responsibility for that in the hands of FEMA and not the EPA.

Unfortunately, because of the odd wording, this bill is unlikely to get serious consideration. That combined with the lack of specific direction and the very small budget ($20 million for just two years???) even if this were to pass it would not even be as effective as the EPA’s LPCs and very few of those have accomplished anything.

But, the fact that it is Portman that offered this bill instead of an environmental bomb thrower, does make me stop and hope that this is a sign that perhaps chemical emergency response planning (and yes, the remainder of the CBRN panoply) may start to receive some serious attention.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4166-introduced - subscription required.

Sunday, May 15, 2022

Review – Public ICS Disclosures – Week of 5-7-22 – Part 2

For Part 2 we have nine additional vendor disclosures from Philips, Phoenix Contact, ProsysOPC, Rockwell Automation, Schneider (3), and Tanzu (2). We also have eleven updates from QNAP, Rockwell (2), Schneider (3), and Siemens (5). There are also researcher two reports for products from XINJE and Rockwell. Finally, we have two exploits for products from USR IOT and Spring.

Philips Advisory - Philips published an advisory that discusses the F5 BIG IP vulnerability.

Phoenix Contact Advisory - Phoenix Contact published an advisory that discusses two vulnerabilities in their RAD-ISM-900-EN-BD devices.

ProsysOPC Advisory - ProsysOPC published an advisory that describes a resource exhaustion vulnerability in their OPC UA SDK for Java that was discovered during the PWN2OWN MIAMI 2022 competition.

Rockwell Advisory - Rockwell published an advisory that discusses an infinite loop vulnerability in their ThinMan and FactoryTalk products.

Schneider Advisory #1 - Schneider published an advisory that describes six vulnerabilities in their Wiser Smart products.

Schneider Advisory #2 - Schneider published an advisory that discusses an out-of-bounds write vulnerability in their Saitel DP RTU.

Schneider Advisory #3 - Schneider published an advisory that describes an improper input validation vulnerability in their PowerLogic ION Setup product.

Tanzu Advisory #1 - Tanzu published an advisory that describes a denial-of-service vulnerability in their Spring Framework.

Tanzu Advisory #2 - Tanzu published an advisory that describes a file download vulnerability in their Spring MVC or Spring WebFlux applications.

QNAP Update - QNAP published an update for their VS Series NVR advisory that was originally published on May 6th, 2022.

Rockwell Update #1 - Rockwell published an update for their Logix Controllers advisory that was originally published on March 31st, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-090-05) for this new information.

Rockwell Update #2 - Rockwell published an update for their Logix Designer Application advisory originally published on March 31st, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-090-07) for this new information.

Schneider Update #1 - Schneider published an update for their APC Smart-UPS advisory that was originally published on March 8th, 2022 and most recently updated on March 24th, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-21-313-01) for this new information.

Schneider Update #2 - Schneider published an update for their Network Management Card advisory that was originally published on November 9th, 2022.

Siemens Update #1 - Siemens published an update for their OpenSSL advisory that was originally reported on July 13th, 2021 and most recently updated on April 12th, 2022.

Siemens Update #2 - Siemens published an update for their GNU/Linux advisory that was  originally published in 2018 and most recently updated on April 14th, 2022.

NOTE: NCCIC-ICS did not update their advisory (icsa-22-104-13) for this information.

Siemens Update #3 - Siemens published an update for their Log4Shell advisory that was was originally published on December 13th, 2021 and most recently updated on April 12th, 2022.

Siemens Update #4 - Siemens published an update for their Mbed TLS of LOGO! advisory that was originally published on September 14th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-257-20) for this new information.

Siemens published an update for their SIMATIC WinCC advisory that was originally published on November 11th, 2021 and most recently updated on April 14th, 2022.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-315-03) for this new information.

XINJE Report - Claroty published a report about two vulnerabilities in the XINJE PLC programming tool.

Rockwell Report - ZDI published a report about a sensitive information disclosure vulnerability in the Rockwell ISaGRAF.

USR IOT Exploit - LiquidWorm published an exploit for a hard-coded credentials vulnerability in the USR IOT 4G LTE Industrial Cellular VPN Router.

Spring4Shell Exploit - Vleminator published a Metasploit module for the SpringShell vulnerabilities.

 

For more details about these disclosures, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-34b - subscription required.

Saturday, May 14, 2022

Review – Public ICS Disclosures – Week of 5-7-22 – Part 1

Happy Saturday after 2nd Tuesday. It is another busy week in ICS disclosures. In Part 1 we have 25 vendor disclosures from Hitachi, Hitachi Energy (2), HP (7), HPE (11), InHand Networks, and Palo Alto Networks (4). There are lots of Intel vulnerabilities lurking here.

Hitachi Advisory - Hitachi published an advisory that discusses 69 vulnerabilities in their Disk Array Systems.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses an off-by-one error vulnerability (with multiple exploits available) in their TXpert Hub CoreTec 4 product.

Hitachi Energy Advisory #2 – Hitachi Energy published an advisory that describes three vulnerabilities in their TXpert Hub CoreTec 4 product.

HP Advisory #1 - HP published an advisory that discusses 28 vulnerabilities in a variety of HP products that utilize the AMD Client UEFI Firmware.

HP Advisory #2 - HP published an advisory that describes a privilege escalation vulnerability in their Jumpstart software in a variety of HP products.

HP Advisory #3 - HP published an advisory that discusses 8 vulnerabilities in a variety of HP products that utilize Intel® Solid State Drive (SSD) or Intel Optane™ SSD products.

HP Advisory #4 - HP published an advisory that discusses a privilege escalation vulnerability in a variety of HP products that utilize Intel® Boot Guard or Intel® Trusted Execution Technology (TXT).

HP Advisory #5 - HP published an advisory that discusses 15 vulnerabilities in a variety of HP products that utilize the Intel 2022.1 IPU BIOS.

HP Advisory #6 - HP published an advisory that describes two vulnerabilities in a variety of HP products that utilize the HP PC BIOS.

HP Advisory #7 - HP published an advisory that describes five vulnerabilities in their UEFI Firmware used in a variety of HP products.

HPE Advisory #1 - HPE published an advisory that describes eleven vulnerabilities in their HPE ProLiant and Apollo Servers.

HPE Advisory #2 - HPE published an advisory that discusses a disclosure of information vulnerability in their ProLiant DL/ML/MicroServer Servers.

HPE Advisory #3 - HPE published an advisory that discusses two vulnerabilities in their PE ProLiant BL/DL/ML/XL and Apollo Servers.

HPE Advisory #4 - HPE published an advisory that discusses a disclosure of information vulnerability in their HPE ProLiant ML/DL/MicroServer Servers.

HPE Advisory #5 - HPE published an advisory that discusses eleven vulnerabilities in their Synergy Servers.

HPE Advisory #6 - HPE published an advisory that discusses an improver validation of array index vulnerability (with publicly available exploit) in their Nimble Storage product.

HPE Advisory #7 - HPE published an advisory that discusses two vulnerabilities in their Synergy Servers.

HPE Advisory #8 - HPE published an advisory that discusses eleven vulnerabilities in their ProLiant DX Servers.

HPE Advisory #9 - HPE published an advisory that discusses two vulnerabilities in their ProLiant DX Servers.

HPE Advisory #10 - HPE published an advisory that discusses two vulnerabilities in various HPE storage products.

HPE Advisory #11 - HPE published an advisory that discusses eleven vulnerabilities in various HPE storage products.

InHand Advisory - InHand published an advisory that describes 17 vulnerabilities in their e Industrial Router IR302.

Palo Alto Advisory #1 - Palo Alto published an advisory that describes an improper neutralization of special elements vulnerability in their PAN-OS.

Palo Alto Advisory #2 - Palo Alto published an advisory that describes an uncontrolled search path element vulnerability in their Cortex XDR Agent.

Palo Alto Advisory #3 - Palo Alto published an advisory that describes a privilege escalation vulnerability in their Cortex XDR Agent.

Palo Alto Advisory #4 - Palo Alto published an advisory that describes an incorrect authorization vulnerability in their Cortex XSOAR.

 

For more details about these disclosures, including links to third-party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5 - subscription required.

 
/* Use this with templates/template-twocol.html */