Saturday, September 30, 2023

Short Takes – 9-30-23

WATCH OUT! CVE-2023-5129 IN LIBWEBP LIBRARY AFFECTS MILLIONS APPLICATIONS. SecurityAffairs.com article. Pull quote: ““While the vulnerability initially seems to target Chromium-based applications, now that we know better, we understand that it possesses the potential to affect a much wider range of software and applications relying on the ubiquitous libwebp package for WebP codec functionality.” reads the analysis published by Rezilion. “This package stands out for its efficiency, outperforming JPEG and PNG in terms of size and speed. Consequently, a multitude of software, applications, and packages have adopted this library, or even adopted packages that libwebp is their dependency, creating a complex challenge when attempting to identify vulnerable systems. The sheer prevalence of libwebp extends the attack surface significantly, raising serious concerns for both users and organizations.”” The next Log4Shell???

House sends Senate bill to avert government shutdown. TheHill.com article. Pull quote: “Senate Minority Leader Mitch McConnell (R-Ky.) announced shortly before the House voted that members of his conference would not allow the upper chamber’s bipartisan continuing resolution (CR) to advance, deferring to the House plan. The Senate’s proposal would keep the government funded through Nov. 17 and it includes $5.99 billion in disaster relief and $6.15 billion in Ukraine aid.”

Pakistan nuclear weapons, 2023. TheBulletin.org article. Pull quote: “We estimate that Pakistan now has a nuclear weapons stockpile of approximately 170 warheads (See Table 1). The US Defense Intelligence Agency projected in 1999 that Pakistan would have 60 to 80 warheads by 2020 (US Defense Intelligence Agency 1999, 38), but several new weapon systems have been fielded and developed since then, which leads us to a higher estimate. Our estimate comes with considerable uncertainty because neither Pakistan nor other countries publish much information about the Pakistani nuclear arsenal.” Easy to forget that Pakistan was 5th nuclear power before North Korea.

America’s Advanced Manufacturing Problem—and How to Fix It. AmericanAffairsJournal.com article. Pull quote: “The United States does not currently have the correct institutional infrastructure and accompanying operational mechanisms to support ad­vanced manufacturing. Industry, government, and academia are largely unlinked when it comes to advanced production technology and processes, and there is a similar lack of interagency coordination within the government. Pathways necessary for diffusing new technologies and getting them to market are missing, including a lack of scale-up financing mechanisms. The vocational education system has withered as has the corporate lab system.”

First-of-Its Kind Dataset Shows Future Flooding Risk at Neighborhood Level. HomelandSecurityNewswire.com article. Pull quote: “A new data portal, the Climate Risk and Resilience Portal (ClimRR), houses all the data from these [flood risk] simulations for the continental United States. ClimRR was recently launched at Argonne with support from AT&T and FEMA and won a 2023 Climate Leadership Award and an R&D 100 Award.”

The Southern Border Poses Terrorism Risks. Homegrown Threats Still Loom Larger. HomelandSecurityNewswire.com article. Pull quote: “Most modern acts of American terrorism directed or inspired by foreign terrorist organizations—such as ISIS-inspired attacks in the cities of San Bernardino, Orlando, and New York between 2015 and 2017—are instead committed by “homegrown” legal immigrants or U.S. citizens. This was in fact a deliberate strategy pursued by groups such as the self-proclaimed Islamic State, which calculated—correctly—that it would be far easier to inspire lone actors in the United States than attempt to send operatives into the country.”

Requests for Comments; Clearance of a Renewed Approval of Information Collection: Survey of Uncrewed-Aircraft-Systems Operators. Federal Register FAA 60-day ICR notice. Summary: “The information collection involves a survey of uncrewed-aircraft-systems (UAS) operators within the United States. The information gathered through the survey's questionnaire on flight behavior and fleet characteristics is used to inform UAS rule making and guide investment in UAS research and infrastructure. This renewal seeks to continue the survey and improve the survey design to increase the generalization of survey results.”

Senate Passes HR 5860 – Clean CR

This evening, after hours of backroom dealing, the Senate took up HR 5860, the clean continuing resolution that the House pressed through earlier today, and passed it by a vote of 88 to 9. The Senate needed an unanimous consent process to consider the bill today and there was an open question about whether deals were in place to ensure that no one objected. The bill continues the FY 2023 funding rates for the government through November 17th, 2023. The bill will be signed by the President tonight; even if it is slightly after midnight, there will be no governmental shutdown this week.

While the House bucked the control of the Republican 11 to pass the CR, that does not guarantee that the same deals will allow the passage of additional spending bills or approving conference committee versions of the final bill. There is also a question of a possible vacate the chair motion next week as the Republican fringe decides whether or not they will try to punish the Speaker for working with Democrats to pass the CR.

Chemical Incident Reporting – Week of 9-16-23

NOTE: See here for series background.

Teutopolis, IN – 9-29-23

Local news reports: Here, here, and here.

Anhydrous ammonia leak from tanker truck involved in traffic accident – 5 dead and five injured.

Not CSB reportable as this is a transportation incident not a fixed facility. NTSB would be federal investigative agency and an NTSB team is investigating.

OMB Approves DOD NISPOM Amendment

On Wednesday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that that it had approved a DOD notice of proposed rulemaking for “National Industrial Security Program Operating Manual (NISPOM); Second Amendment”. According to the Spring 2023 Unified Agenda entry for this rulemaking:

“Based on public comments, DoD is proposing additional amendments to a rule last published on December 21, 2020. This amendment addresses comments received on requests for guidance and the cost to implement Security Executive Agent Directive (SEAD) 3, as well as to provide clarification on safeguarding procedures for the protection and reproduction of classified information. It also includes DoD’s response to public comments received regarding controlled unclassified information, National Interest Determination requirements for cleared contractors operating under a Special Security Agreement for Foreign Ownership, Control or Influence, and eligibility determinations for personnel security clearance processes and requirements, among others.”

DOD Sends CMMC Guidance Docs to OMB

On Wednesday, the OMB’s Office of information announced that it had received guidance documents from the Department of Defense for their Cybersecurity Maturity Model Certification program upgrade. As is typical for guidance document submissions, none of these rulemakings were listed in the Spring 2023 Unified Agena. The submitted documents include:

0790-ZA23

CMMC Scoping Guide - Level 3

Pending Review

0790-ZA22

CMMC Scoping Guide - Level 2

Pending Review

0790-ZA21

CMMC Scoping Guide - Level 1

Pending Review

0790-ZA24

CMMC Hashing Guide

Pending Review

0790-ZA20

CMMC Assessment Guide - Level 3

Pending Review

0790-ZA19

CMMC Assessment Guide - Level 2

Pending Review

0790-ZA18

CMMC Assessment Guide - Level 1

Pending Review

0790-ZA17

CMMC Model Overview

Pending Review

HR 5860 Passed in House – Clean Republican CR

In a surprise move, the House took up HR 5860 (committee print), the ‘Continuing Appropriations Act, 2024 and Other Extensions Act, under the suspension of the rules process, and passed it by a bipartisan vote of 335 to 91 with 90 Republicans voting Nay. The bill was not added to the schedule until just before it was brought to the floor by Rep Granger (R,TX) the Chair of the House Appropriations Committee. The bill would extend FY 2023 funding rates for the federal government through November 17th, 2023. Section 129 of the bill adds $16 billion for FEMA’s disaster relief fund. A last-minute amendment was made to the bill by unanimous consent.

The Senate was scheduled to vote at 1:00 pm on the substitute language for HR 3935 that includes slightly dirtier continuing resolution language. That language would add supplemental spending for Ukraine, a controversial provision that is guaranteed to draw some opposition from Republicans. Interestingly, there are currently no Senators in the Senate chambers, I suspect that there are two separate conference meetings taking place determining if they can reach an agreement to consider HR 5860 under unanimous consent today.

It is possible that there will not be a government shutdown tonight, or (even more likely) if there is one, that it will be short.

GAO Reports – Week of 9-23-23 – Cybersecurity Audits

This week the Government Accounting Office (GAO) published a report on “Cybersecurity Program Audit Guide”. Rather than the normal GAO report on the results of an audit, this report outlines “the methodologies, techniques, and audit procedures they [auditors] need to evaluate the components of agencies' cybersecurity programs and systems.” It identifies six major components of a cybersecurity program audit:

• Asset and risk management: developing an understanding of the cyber risks to assets, systems, information, and operational capabilities.

• Configuration management: identifying and managing security features for system hardware and software and controlling changes to the configuration.

• Identity and access management: protecting computer resources from modification, loss, and disclosure by limiting authorized access.

• Continuous monitoring and logging: maintaining ongoing awareness of cybersecurity vulnerabilities and threats to an organization's systems.

• Incident response: taking action when security incidents occur.

• Contingency planning and recovery: developing contingency plans and executing successful restoration of capabilities.

Review – Public ICS Disclosures – Week of 9-23-23

This week we have 15 vendor disclosures from Belden, Hitachi (5), Hitachi Energy, HPE, Panasonic, Pilz, Rockwell (2), SEL, Synology, and VMware. There are three vendor updates from Broadcom.

Advisories

Belden Advisory - Belden published an advisory that discusses 14 vulnerabilities in a number of their Hirschmann products.

Hitachi Advisory #1 - Hitachi published an advisory that discusses an observable discrepancy vulnerability in their Command Suite and Configuration Manager products.

Hitachi Advisory #2 - Hitachi published an advisory that discusses an integer overflow or wraparound vulnerability in their Cosminexus HTTP Server.

Hitachi Advisory #3 - Hitachi published an advisory that discusses an integer overflow or wraparound vulnerability in their Cosminexus HTTP Server.

Hitachi Advisory #4 - Hitachi published an advisory that discusses an integer overflow or wraparound vulnerability in their Cosminexus HTTP Server.

Hitachi Advisory #5 - Hitachi published an advisory that discusses an allocation of resources without limit or throttling vulnerability in their Cosminexus HTTP Server.

Hitachi Energy Advisory - Hitachi Energy published an advisory that discusses 14 vulnerabilities in their AFS65x, AFS67x, AFR67x and AFF66x series Products.

HPE Advisory - HPE published an advisory that describes two authentication bypass vulnerabilities in their OneView product.

Panasonic Advisory - JP-CERT published an advisory that describes two vulnerabilities in the Panasonic KW Watcher product.

Pilz Advisory - Pilz published an advisory that discusses five vulnerabilities in multiple Pilz products.

Rockwell Advisory #1 - Rockwell published an advisory that discusses five vulnerabilities (listed in CISA’s KEV) in their Connected Components Workbench.

Rockwell Advisory #2 - Rockwell published an advisory that describes an out-of-bounds write vulnerability in their Logix Communication Modules.

SEL Advisory - SEL published a software update for their Configuration API which addressed three cybersecurity vulnerabilities and included two cybersecurity enhancements.

Synology Advisory - Synology published an advisory that describes a security bypass vulnerability in their Synology Router Manager (SRM).

VMware Advisory - VMware published an advisory that describes a privilege escalation vulnerability in their Aria Operations product.

Wago Advisory - CERT-VDE published an advisory that describes two vulnerabilities in their Codemeter product.

Updates

Broadcom Update #1 - Broadcom published an update for their Apache HTTP Server advisory that was originally published on August 1st, 2023.

Broadcom Update #2 - Broadcom published an update for their Apache HTTP Server advisory that was originally published on August 1st, 2023.

Broadcom Update #3 - Broadcom published an update for their sctp_make_strreset_req function advisory that was originally published on August 1st, 2023.

 

For more details on these disclosures, including links to researcher reports, 3rd party advisories, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-e63 - subscription required. [added link to CFSN article, 23:15 EDT, 9-30-23]

Bills Introduced – 9-29-23

 

Yesterday, with both the House and Senate in session, there were 58 bills introduced. One of those bills will receive additional attention in this blog:

HR 5840 To require the Transportation Security Administration to streamline the enrollment processes for individuals applying for a Transportation Security Administration security threat assessment for certain programs, including the Transportation Worker Identification Credential and Hazardous Materials Endorsement Threat Assessment programs of the Administration, and for other purposes. Graves, Garret [Rep.-R-LA-6]

Friday, September 29, 2023

Short Takes – 9-29-23

Johnson Controls International Disrupted by Major Cyberattack. DarkReading.com article. Pull quote: “The gang has allegedly stolen over 27TB of data and encrypted the company's VMware ESXi machines in a ransomware attack.”

Tris(2-chloroethyl) Phosphate (TCEP); Draft Risk Evaluation under the Toxic Substances Control Act (TSCA); Letter Peer Review; Request for Nominations of Expert Reviewers. Federal Register EPA notice. Summary: “The Environmental Protection Agency (EPA) is seeking public nominations of scientific and technical experts to review the draft Risk Evaluation for Tris(2-chloroethyl) Phosphate (TCEP) conducted under the Toxic Substances Control Act (TSCA). The draft risk evaluation will be released for public review and comment in December 2023 through a separate Federal Register document and subsequently submitted for letter peer review by the expert reviewers.”

In a shift, McCarthy floats a clean stopgap without Ukraine aid. TheHill.com article. Pull quote: “What is clear is that House Republicans will no longer leave Washington for the next two weeks for a scheduled recess as they work through the funding issues and shutdown.”

HR 5525 Failed in House – Republican CR Dead

This afternoon, the House took up HR 5525, the Continuing Appropriations and Border Security Enhancement Act, 2024. The House had earlier approved H Res 741, the rule for the consideration of HR 5525 by a vote of 218 to 210. After limited debate, the bill was rejected by a vote of 198 to 232 with 21 Republicans joining all of the House Democrats in voting no.

There were no votes held today on HR 3935, the FAA reauthorization bill which the Senate will be using as the vehicle for their CR. According to @SenateCloakroom on TWITTER.com, the Senate will vote tomorrow afternoon “to invoke cloture on substitute amendment #1292 to Cal. #211, H.R.3935, legislative vehicle for the Continuing Resolution (November 17th).”

The House is currently scheduled to meet tomorrow morning at 10:00 am EDT. There is nothing on the Majority Leaders ‘Daily Schedule’ about what is planned. There is an outside chance that the Senate could conclude their work on HR 3935 tomorrow (Sunday or Monday is more likely, but still not a given). If the Senate does approve the bill (more likely than was the House passing HR 5525 today) on Saturday, the soonest the House could consider it would be Sunday (if the Rules Committee acted favorably Saturday night, which is probably why the House will be ‘in session’ tomorrow). In any case, the government is going to shut down on Sunday.

Commentary

The House taking up the Senate CR would be a major shift for Speaker McCarthy, and it would take a serious deal with the House Democrats because those 21 Republican ‘no votes’ will certainly be ‘no votes’ on a Democratic CR and there would likely be a number of others as well. The deal would probably have to include Democratic votes for McCarthy on multiple vacate the chair motions while the CR was wending its way through the House. If the House leadership was smart the deal would include a change to the House Rules that would rewrite the vacate the chair process, probably using Pelosi’s 50% of the conference process.

House Completed Consideration of Spending Bills – 9-27-23

Yesterday, the House continued their consideration of amendments for the three spending bill that they began consideration of on Tuesday, including HR 4365 (DOD spending), HR 4367 (DHS spending) HR 4368 (ARD spending) HR 4665 (State Dept spending), and HR 5692 (Ukraine supplemental). The House considered 60 amendments and passed 26. None of the amendments were of specific interest here.

Final Action

The House completed action on all five spending bills:

HR 4368 (ARD) Failed by a vote of 191 to 237 (27 Republicans voted Nay),

HR 4367 (DHS) Passed by a vote of 220 to 208 (2 Democrats vote Yea),

HR 5692 (Ukraine) Passed by a vote of 311 to 117 (117 Republicans voted Nay),

HR 4365 (DOD) Passed by a vote of 218 to 210 (2 Republicans voted Nay, 2 Democrats vote Yea)

HR 4665 (State) Passed by a vote of 216 to 212 (2 Republicans vote Nay)

Moving Forward

Three of the bills (HR 5692, HR 4365, and HR 4665) will now be forwarded to the Senate for action. The DHS bill will not be forwarded to the Senate until HR 2 (the House Republican signature border security bill) is enacted (this was included in §15 of H Res 723 that passed in the House on Tuesday). It is not yet clear what if any action will be taken in the Senate. If the provisions of the Senate CR included in the Senate version of HR 3539 (which I have not seen yet) are enacted, we will almost certainly see an Omnibus spending bill sometime after the first of the year. In that case no action will be taken on these bills. If HR 5525 (the House version of a short term CR being considered today) is enacted, the Senate would probably take up the DOD and DHS spending bills (perhaps as its own minibus), substitute Senate language and pass those bills. But the Senate would probably first resume consideration of HR 4366, their first minibus that includes the ARD spending. HR 5692 will likely be taken up in the Senate in either case and will probably pass without change.

Commentary

Of course, this discussion presupposes that the House will pass a continuing resolution. At this point, I do not think that that is possible. While the House was able to pass four of the five spending bill, it was only at the cost of including language that would have no chance of being considered in the Senate, of surviving a conference committee, or being signed by the President. The language of HR 5525 fits in the same mold. Unfortunately for the House leadership, there are probably enough of the Republican 11 that see any CR as an anathema that I will be surprised to see the House approve the rule for the consideration of HR 5525, much less pass the bill.

At this point, I do not see anyway that any CR makes it to President Biden’s desk before midnight Saturday, the government (well vast swaths of it anyway) will shutdown on Sunday. IF HR 5525 passes, it will be some relatively lengthy period before serious negotiations are able to proceed on a bill that would reopen the government as the Republican 11 will volubly insist on maintaining all of the provisions of HR 5525 in any deal, a non-starter as a negotiating position. If HR 5525 fails (and I expect that it will) and the Senate passes HR 3539 (FAA reauthorization) with CR provisions, Speaker McCarthy will be faced with deciding to make a deal with Democrats and facing an inevitable floor fight for retaining his speakership. In either case, McCarthy is going to have to make a deal with Democrats and face the ire of the Republican 11. Now it is just waiting to see how long it will take him to realize that.

Bills Introduced – 9-28-23

Yesterday, with both the House and Senate in session, there were 96 bills introduced. Two of those bills will receive additional coverage in this blog:

HR 5786 To establish in the National Nuclear Security Administration a Cybersecurity Risk Inventory, Assessment, and Mitigation Working Group. Carbajal, Salud O. [Rep.-D-CA-24]

S 2980 A bill to amend title 49, United States Code, to eliminate the requirement for cost-benefit analyses in the establishment of minimum safety standards for pipeline transportation and pipeline facilities, and for other purposes. Markey, Edward J. [Sen.-D-MA] 

 

Thursday, September 28, 2023

Short Takes – 9-28-23

EVs just got a big boost. We’re going to need a lot more chargers. TechnologyReview.com article. Pull quote: “EV owners would shoulder the cost of installing at-home charging equipment, but there could be additional barriers. Most homes require some electrical work to support EV charging, which can be expensive if it involves retrofitting. “The building stack generally isn’t ready for charging,” says Dan O’Brien, a modeling analyst at Energy Innovation.”

Biden approves emergency declaration in Louisiana for saltwater intrusion that threatens New Orleans. CNN.com article.  Pull quote: “Extreme drought spread across parts of the Mississippi River Basin this summer and pushed water levels to near-record lows. As the river’s flow rate weakened, a surge of saltwater from the Gulf of Mexico pushed upstream, polluting drinking water for thousands of residents south of New Orleans.”

New approaches to the tech talent shortage. TechnologyReview.com article. Pull quote: “But tech doesn’t just need short-term bridges. It needs long-term solutions. That’s why some companies are looking earlier in the pipeline — and even building their own pipeline. Innovative tech leaders have begun targeting less traditionally qualified candidates, including those who have just finished secondary school, and they are cultivating that future potential through new early-career programs.” Advertorial for a free report.

Freedom Caucus presses McCarthy for answers before supporting stopgap. TheHill.com article. Pull quote: ““We remain ready to continue working in good faith with our colleagues across the Republican Conference to advance appropriations; likewise, we expect you to take every step necessary to pass these bills — starting with the four bills now under consideration to fund approximately two-thirds of the federal government,” the letter later said.”

We were promised smaller nuclear reactors. Where are they? TechnologyReview.com article. Pull quote: “The true promise of SMRs will be realized only when it’s time to build the second, the third, the fifth, and the hundredth reactor, DOE’s Huff says, and both companies and regulators are learning how to speed up the process to get there. But the benefits of SMRs are all theoretical until reactors are running, supplying electricity without the need for fossil fuels.”

One of the most intense El Niños ever observed could be forming. WashingtonPost.com article. Pull quote: “And Yeager said the research behind the latest El Niño forecast is part of a broader effort to better predict weather and climate phenomena over scales of one to two years. The research team is looking at whether the current El Niño could be followed in the spring by a rapid transition to La Niña, as has occurred in the past.”

Review – 2 Advisories and 1 Update – 9-28-23

Today, CISA’s NCCIC-ICS published two control system security advisories for products from DEXMA and Rockwell Automation. They also updated an advisory for products from Hitachi Energy.

Advisories

DEXMA Advisory - This advisory describes five vulnerabilities in the DEXMA DEXGate gateway.

Rockwell Advisory - This advisory discusses an improper input validation vulnerability in the Rockwell PanelView 800 product.

Update

Hitachi Energy Update - This update provides additional information on an advisory that was originally published on May 5th, 2023.

 

For more details about these advisories, including links to 3rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-1-update-9-28-23 - subscription required.

House Considered Spending Bills – 9-27-23

Yesterday, the House continued their consideration of amendments for the three spending bill that they began consideration of on Tuesday, including HR 4365 (DOD spending), HR 4367 (DHS spending) and HR 4368 (ARD spending). The House considered 101 amendments and passed 60. None of the amendments were of specific interest here. However…

$1 Dollar Salary

One of the little noted additions made to the House Rules earlier this year was the reinstatement of the Holman Rule. This allows for amendments to spending bills that would reduce the salary of specific government employees to $1, effectively (hopefully according to author of the amendment) firing the employee without having to go through the impeachment process. This process was successfully used six times yesterday:

H.Amdt.331 (HR 4368) – Boebert (R,CO) – USDA Deputy Undersecretary Stacy Dean,

H.Amdt.371 (HR 4365) – Green (R,GA) – DOD Secretary Lloyd James Austin III,

H.Amdt.381 (HR 4365) – Roy (R,TX) – DOD Director of Office for Diversity, Equity, and Inclusion Cyrus Salazar,

H.Amdt.399 (HR 4367) – Tenney (R,NY) - DHS Secretary Mayorkas,

H.Amdt.408 (HR 4367) – Boebert – USCIS Director Ur M. Jaddou, and

H.Amdt.415 (HR 4367) – Greene – DHS Secretary Mayorkas,

Commentary

All of these amendments were approved by voice votes with no attempt made to force a roll call vote. This is one of the problems with marathon legislative session (exacerbated in this case by considering multiple bills), controversial amendments can slip through the process. The Republican managers had little incentive to raise objection to these amendments, they have to be careful about how much they antagonize the radical fringe as every vote counts. And, of course, no one expects these amendments to survive the inevitable conference committee.

House to Consider HR 5962 – Ukraine Security Assistance

Yesterday, the House Rules Committee met to formulate a rule for the consideration of HR 5962 [Rules Committee Print], a bill making supplemental appropriations in support of Ukraine. The rule (H Res 730) provides a closed rule (limited debate, no amendments). The rule also makes amendments to the versions of HR 4365 (DOD spending) and HR 4367 (ARD spending) that are still being considered by the House.

Nothing in HR 5962, nor the amendments to the other two bills, are strictly of interest here in this blog. But they do provide a clear and public example of the horse trading that goes on during the consideration of major pieces of legislation.

The language of H 5962 provides for $300 million dollars in supplemental spending for the Ukraine Security Assistance Initiative. The language providing that funding is nearly identical to the wording in §8104 that the Rule removes from HR 4365. There is additional language added in HR 5962 provides that $20 million of the monies will go to fund a Special Inspector General for Ukraine Assistance.

Commentary

Removing the Ukraine funding provisions from the DOD spending bill provides cover for some Republicans {Rep Greene (R,GA) is the most obvious example} to vote for the DOD spending while still opposing funding for Ukraine. At the same time, Democrats that would oppose the DOD spending bill will now be able to vote to support funding for the Ukraine, negating the opposition of a relatively small number of Republicans. Passing this bill will also provide the Speaker with some leverage (probably not much, but McCarthy needs all that he can get) with negotiations with the Senate and the President on an as of yet unconsidered CR.

Interesting side light. HR 4365 contains language (§8105) prohibiting any monies provided in HR 4365 from being used to support the Azov Battalion. Moving the language of §8104 to this bill removes that restriction from the monies appropriated. Not an intended consequence, I am sure (mostly sure), but a consequence just the same.

Bills Introduced – 9-27-23

Yesterday, with both the House and Senate in session, there were eighty bills introduced. One of those bills may receive additional coverage in this blog:

HR 5759 To amend the National Quantum Initiative Act and the Cyber Security Research and Development Act to advance the rapid deployment of post quantum cybersecurity standards across the United States economy, support United States cryptography research, and for other purposes. Jackson, Jeff [Rep.-D-NC-14] 

I will be watching this bill for language and definitions that would specifically include industrial control systems and operational technologies within the scope of the requirements of the legislation.

Mention in Passing

I would like to mention two bills that were introduced yesterday that will probably not receive additional coverage in this blog:

HR 5750 To direct the Nuclear Regulatory Commission, the Secretary of Energy, and the Secretary of Agriculture to collaborate to determine the feasibility of creating the Green Nuclear Fertilizer Program, and for other purposes. Donalds, Byron [Rep.-R-FL-19]

S 2950 A bill to align the fiscal year with the calendar year. Kaine, Tim [Sen.-D-VA]

Donalds has been trying to drag the country into implementing advanced nuclear technology since he came into Congress. Unfortunately, he has not been a member of the committees to which his bills have been assigned for coverage which makes it very difficult to move the bills forward. And his association with the anti-McCarthy folks during the election of the Speaker does not make it any easier to gain bipartisan support for his legislation. Still, his efforts deserve recognition.

S 2950 looks to be very similar to HR 5612 which I mentioned in passing last week. If for no other reason than to reduce the need for continuing resolutions to give law makers additional time to work out spending deals (and contrary to what the Republican 11 hope, deals will almost always need to be made to move spending bills in a narrowly divided congress), these two bills deserve action.

Wednesday, September 27, 2023

Short Takes – 9-27-23

Senate grabs wheel from House in bid to avoid shutdown. TheHill.com article. Pull quote: “They [un-named Senators] believe that if he saves the country from going through an unpopular government shutdown, he’ll have enough political capital to beat back any move by conservative critics such as Rep. Matt Gaetz (R-Fla.) to push through a motion to kick him out of the top leadership job.” Political calculus or wishful thinking?

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions; Guidance for Industry and Food and Drug Administration Staff; Availability. Federal Register FDA notice of availability. Summary: “The Food and Drug Administration (FDA or Agency) is announcing the availability of a final guidance entitled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” As more medical devices are becoming interconnected, cybersecurity threats have become more numerous, more frequent, more severe, and more clinically impactful. As a result, ensuring medical device safety and effectiveness includes adequate medical device cybersecurity, as well as its security as part of the larger system. This final guidance supersedes the final guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” issued October 2, 2014.”

McCarthy told conference he won’t allow vote on Senate stopgap: GOP lawmakers. TheHill.com article. Pull quote: “Good told reporters that McCarthy’s stopgap measure would keep the government open for 30 days, decrease spending to a top-line level of $1.471 trillion for that duration and include border security provisions. Good also noted that McCarthy wants to pass the stopgap “in conjunction with continuing to move our spending bills,” which has been a key demand among conservatives.”

House GOP agriculture spending bill on thin ice. TheHill.com article. Pull quote: “The House GOP’s bill to fund the Department of Agriculture, rural development and the Food and Drug Administration (FDA) is on thin ice after a handful of moderate Republicans said they are opposed to the legislation because of a provision that would limit access to an abortion pill.”

21 Amendments Considered for HR 4368 – FY 2024 ARD Spending Bill – 9-27-23

Yesterday (ending at about 0300 EDT today) the House started considering HR 4368, the Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations Act, 2024 (ARD Spending) under provisions of H Res 723. There were 21 amendments addressed (actually the 1st amendment was an en bloc amendment with  40 amendments listed in H Rept 118-226, the Rules Committee Report for H Res 712) adopted by a mix of voice votes and recorded votes. None of the amendments were of any specific interest here.

A significant number of the amendments were reductions in spending for various agencies and programs. These were from base numbers that were already lower than the spending agreement made earlier this year between the President and the Speaker. While many of the amendments reduced spending by a specific amount or per cent, the majority of the reductions were to levels in specific earlier fiscal years. Nine of those amendments failed by recorded vote:

H.Amdt.306 - Failed by recorded vote: 175 – 254,

H.Amdt.307 - Failed by recorded vote: 119 – 307,

H.Amdt.308 - Failed by recorded vote: 106 – 323,

H.Amdt.310 - Failed by recorded vote: 86 – 343.

H.Amdt.311 - Failed by recorded vote: 89 - 341

H.Amdt.312 - Failed by recorded vote: 68 – 362,

H.Amdt.315 - Failed by recorded vote: 83 – 348,

H.Amdt.317 - Failed by recorded vote: 81 – 350, and

H.Amdt.318 - Failed by recorded vote: 105 – 325,

Today’s Consideration

The House returned to the chambers at 9:00 this morning and instead of continuing with the ARD spending bill, they took up HR 4365, the DOD spending bill. At about 3:00 pm it stopped considering the DOD bill (without completing their work) and started on HR 4367, the DHS spending bill. At about 4:30 pm, they stopped consideration of that bill (again without completing their work) and resumed working on the ARD bill. At about 5:50 pm they finished work on the amendments to the ARD bill, but did not vote on the bill, instead resuming consideration of the amendments for the DOD bill. At 6:30 pm the House completed consideration of those amendments, but did not vote on the bill, instead they resumed working on amendments for the DHS bill. That is what they are working on as I write this post.

Interestingly, HR 4665, the State Department spending bill, which was included in H Res 723, has not been considered by the House as of yet.

I will have more details on today’s considerations after the Congressional Record is printed sometime tomorrow afternoon.

Commentary

This is an unusual way to consider legislation, but at this point, it is hardly surprising that the Republican lead is working an unusual process. It looks like McCarthy is trying to get all of the detail work of the legislative process complete before they start the final vote process. I wonder if he has concerns about the results of the votes, like perhaps a couple of the Republican 11 voting against one of more of the bills because not enough spending cuts were made.

OMB Approves BIS Missile Technology Export Final Rule

Yesterday, OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from DOC’s Bureau of Industry and Security on “Revisions to the Export Administration Regulations Based on 2018, 2019, 2021, and 2022 Missile Technology Control Regime Plenary Agreements; and Revisions to License Exception Eligibility”. The rule was submitted to OMB on August 25th, 2023.

The entry for this rulemaking in the 2023 Spring Unified Agenda notes:

“This final rule makes revisions to the Export Administration Regulations based on 2021 and 2022 Missile Technology Control Regime Plenary Agreements; and Revisions to License Exception Eligibility”

Unless you closely follow these international arms control discussions (and I do not), there is no reasonable way to determine what BIS may include in these rules. Since cybersecurity issues have been covered in the past, I mention these now.

Tuesday, September 26, 2023

Short Takes – 9-26-23

Space Force chief says commercial satellites may need defending. ArsTechnica.com article. Pull quote: “In a modern war, "there are going to be commercial entities, commercial organizations, commercial capabilities and assets that get caught up in the conflicts," Saltzman said. "Space is no different than sea lanes. It’s no different than civilian airliner traffic in Europe right now. The US has a long history of saying we’re going to protect the things that we need to be successful. So it would stand to reason that that same philosophy would extend into space, and I have no reason to believe that that will be different.””

CISA Releases Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management. CISA.gov press release. Pull quote: ““The HBOM Framework [link added] offers a consistent and repeatable way for vendors and purchasers to communicate about hardware components, enabling effective risk assessment and mitigation in the supply chain. With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience,” said CISA National Risk Management Center Assistant Director and ICT SCRM Task Force Co-Chair Mona Harrington. “By enhancing transparency and traceability through HBOM, stakeholders can identify and address potential risks within the supply chain, ensuring that the digital landscape remains robust and secure against emerging threats and challenges.””

Potential link found between Merck antiviral and mutated COVID strains. TheHill.com article. A little geeky, requires more study. Pull quote: ““Importantly, the divergence of the molnupiravir mutation spectrum from standard SARS-CoV-2 mutational dynamics might allow the virus to explore the fitness of distinctive parts of the possible genomic landscape to those it is already widely exploring in the general population,” the study stated.”

COVID drug molnupiravir may be driving the virus to mutate — should we worry? LiveScience.com article. A more nuanced look. Pull quote: “"We have yet to see evidence of more fit sequences arising from molnupiravir" — meaning viruses that can more easily spread and multiply — "but this work certainly provides pause for thought and should weigh heavily in considerations around future use of the drug, necessitating at the very least mitigations of the risks of this effect, alongside real world data on the effectiveness of the drug," Aris Katzourakis, a professor of evolution and genomics at the University of Oxford who was not involved in the research, told Live Science in an email.”

Cybersecurity Labeling for Internet of Things. Federal Register FCC comment extension. Summary: “In this document, the Federal Communications Commission extends the comment and reply comment periods of the Notice of the Proposed Rulemaking [link added to my blog post on NPRM, removed from paywall) (NPRM) in PS Docket No. 23–239 that was released on August 10, 2023. This document also corrects a Uniform Resource Locator (URL) link in the summary of the NPRM that was published in the Federal Register on August 25, 2023.” New comment deadline November 10th, 2023.

A Laser Fusion Breakthrough Gets a Bigger Burst of Energy. NYTimes.com article. Pull quote: “Siegfried Glenzer, a scientist at the SLAC National Accelerator Laboratory in Menlo Park, Calif., who led the initial fusion experiments at the Livermore facility years ago, said of the July advance, “The fact that the gain has gone up on the last shot is encouraging news and shows that the current implosions are not yet fully optimized.””

The Beekeepers Who Don’t Want You to Buy More Bees. NYTimes.com article. Pull quote: “Honey bees, it turns out, are a commercially managed animal — essentially livestock, like cows — and large beekeeping operations are remarkably adept at replacing colonies that die. In the United States, about one million hives are trucked each year to places like California, where honey bees pollinate almonds and other crops, Mr. Black said. It’s a major industry.”

Senate Reaches Spending Deal to Head Off Government Shutdown. NYTimes.com article. Pull quote: “The Senate proposal would meet stiff resistance from House Republicans because it includes assistance for Ukraine that many of them oppose and maintains federal funding at current levels. Many House Republicans are demanding steep cuts in even an interim funding plan. As a result, Mr. McCarthy would need Democratic votes to pass it, and leaning on Democrats would stir a backlash from his own party.”

House Actually Moves on Spending Bills

This evening the House took up H Res 723 [link is to a Rules Committee print of the bill], the rule for the consideration of four spending bills this week. The rule was adopted by a near party-line vote of 216 to 212. The sole dissenting Republican vote was Rep Greene (GA). This is the first positive vote on a spending bill in the House since they passed HR 4366, the MilCon spending bill in July.

The House then moved to begin consideration of HR 4368, the ARD spending bill. Debates and votes on amendments will begin later. No telling how late the House will working tonight. If they intend to get all four bills considered this week, they will be voting until the wee hours of the morning.

Commentary

This does nothing to deal with the impending Saturday midnight deadline for funding the government, but after the last two weeks of Republican legislative-ineptitude, it is good to see some movement on spending bills. Meanwhile, on the other side of the Hill, the Senate voted 77 to 19 to close debate on the motion to consider debate on HR 4395, the FAA authorization bill. That bill will be the vehicle for a bipartisan, relatively clean, continuing resolution. More on that tomorrow when the Congressional Record is published.

CISA Community Bulletin – 9-25-23

Yesterday, CISA emailed out the latest version of their ‘CISA Community Bulletin’. This special edition of the Bulletin is focused on the upcoming Cybersecurity Awareness Month. CISA notes:

“Each week in October, CISA will spotlight one of the four key behaviors we encourage all to take now to protect ourselves online– using strong passwords and a password manager; enabling multifactor authentication; recognizing and reporting phishing; and frequently updating software. Engage with cybersecurity experts to learn more about these actions through CISA’s webinar series, as we take a deeper dive into why we need to take these actions now.”

The four scheduled webinars are:

October 3rd, 2023 - How to Create Stronger Passwords and Debunking Myths About Password Managers,

October 10th, 2023 - The Importance of Multifactor Authentication,

October 17th, 2023 - How to Recognize and Report Phishing, and

October 24th, 2023 - Keeping Software Up to Date

You can register for these webinars here.

NOTE: Normally, I am able to provide a link to the latest version of the Bulletin, but the link provided in yesterday’s email was “%20”; not helpful at all. You can sign up to receive these bulletins (and others from CISA) from the Public.GovDelivery.gov.

Review – 5 Advisories and 1 Update Published – 9-26-23

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Baker Hughes, Advantech, Mitsubishi, Hitachi Energy, and Suprema. They also updated an advisory for products from SOCOMEC.

Advisories

Baker Hughes Advisory - This advisory describes three vulnerabilities in the Baker Hughes Bently Nevada 3500 System TDI Firmware.

Advantech Advisory - This advisory describes two cross-site scripting vulnerabilities in the Advantech EKI-1524, EKI-1522, EKI-1521 devices.

Mitsubishi Advisory - This advisory describes an incorrect default permissions vulnerability in the Mitsubishi FA Engineering Software.

Hitachi Energy Advisory - This advisory describes an improper authentication vulnerability in the Hitachi Energy Asset Suite 9.

Suprema Advisory - This advisory describes an SQL injection vulnerability in the Suprema BioStar product.

Updates

SOCOMEC Update - This update provides additional information on an advisory that was originally published on January 24th, 2023.

 

For more information on these advisories, including links to exploits and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-1-update-published-942 - subscription required.

EPA Sends Accidental Release Final Rule to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the EPA on “Accidental Release Prevention Requirements: Risk Management Program Under the Clean Air Act; Safer Communities by Chemical Accident Prevention”. The EPA published [removed from paywall] the notice of proposed rulemaking (NPRM) for this action on August 31st, 2022.

According to the listing for this rulemaking in the 2023 Spring Unified Agenda:

“On August 31, 2022, the Environmental Protection Agency (EPA) published proposed amendments to its Risk Management Program (RMP) regulations as a result of Agency review. The proposed revisions included several changes and amplifications to the accident prevention program requirements, enhancements to the emergency preparedness requirements, increased public availability of chemical hazard information, and several other changes to certain regulatory definitions or points of clarification. Such amendments seek to improve chemical process safety; assist in planning, preparedness, and responding to RMP-reportable accidents; and improve public awareness of chemical hazards at regulated sources. EPA plans to publish the final rule in 2023.”

Monday, September 25, 2023

Short Takes – 9-25-23

Congress stares down shutdown deadline. TheHill.com article. Nice summary of week ahead in Congress. Pull quote: “The House this week will hold a vote on advancing four spending bills — a move that will not help avert an end-of-the-month shutdown, but one that GOP leaders see as part of a strategy to send a conservative stopgap bill to the Senate.”

A NASA Spacecraft Comes Home With an Asteroid Gift for Earth. NYTimes.com article. Pull quote: “The capsule’s landing is a major win for a NASA mission called OSIRIS-REX, which stands for Origins, Spectral Interpretation, Resources Identification and Security-Regolith Explorer. The spacecraft set out in 2016 to retrieve material from Bennu, a carbon-rich asteroid about 190 feet wider than the height of the Empire State Building. Researchers hope this pristine space dirt will reveal clues about the birth of our solar system and the genesis of life on Earth.”

See who would get furloughed in a shutdown this year. GovExec.com article. Pull quote: “The Government Accountability Office, which enforces the Anti-Deficiency Act, the law that governs federal spending during shutdowns, ultimately found the Trump administration acted unlawfully during the 2018-2019 funding lapse. GAO said the Interior Department violated the law when it used recreation fees collected by the National Park Service to keep parks open and continue services such as trash collection and restroom maintenance. It also faulted the Agriculture Department for disbursing Supplemental Nutrition Assistance Program benefits early during the shutdown.”

Preventing the Improper Use of CHIPS Act Funding. Federal Register NIST final rule. Summary: “The Department of Commerce, through the National Institute of Standards and Technology, is issuing this final rule to implement conditions in the [CHIPS] Act that seek to prevent funding provided through the program from being used to directly or indirectly benefit foreign countries of concern. The rule defines terms related to these conditions, describes the types of activities that are prohibited by those conditions, and sets forth procedures for notifying the Secretary of Commerce (Secretary) of non-compliance and the process by which the Secretary will enforce these provisions.” Effective date: November 24th, 2023.

As Trump Prosecutions Move Forward, Threats and Concerns Increase. NYTimes.com article. Pull quote: “Given the attack on the Capitol by Trump supporters on Jan. 6, 2021, scholars, security experts, law enforcement officials and others are increasingly warning about the potential for lone-wolf attacks or riots by angry or troubled Americans who have taken in the heated rhetoric.”

Review - HR 5310 Introduced – Contractor VDP

Last month, Rep Lieu (D,CA) introduced HR 5310, the Improving Contractor Cybersecurity Act. The bill would require federal contractors to have a vulnerability disclosure program (VDP). While similar in intent to HR 5255, the Federal Cybersecurity Vulnerability Reduction Act of 2023, introduced by Rep Mace (R,SC), it does not require any modifications to the Federal Acquisition Regulations (FAR) to enforce the requirements. No funding is authorized in the legislation.

The bill would amend Chapter 47, of division C, of subtitle I, of 41 USC, adding a new §4715, Vulnerability disclosure policy and program required.

Moving Forward

Lieu is not a member of the House Oversight and Accountability Committee to which the bill was assigned for consideration. This means that there is probably not sufficient influence to see the bill considered in Committee. I see nothing in the bill that would engender any organized opposition. I suspect that there would be sufficient bipartisan support that the bill could move to the House floor under the suspension of the rules process.

Commentary

While the definition of ‘information technology’ used in this bill is broadly enough written to include control systems and operational technologies, there is an interesting shortcoming; it only applies to “the equipment [that] is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use” of the equipment. It specifically excludes any “equipment acquired by a federal contractor incidental to a federal contract.” Thus, devices networked to ‘federally required equipment’ need not be included in the required VDP.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5310-introduced - subscription required.

Review - HR 5672 Introduced – FY 2024 CR

Last week, Rep Bacon (R,NE) introduced HR 5672, the Bipartisan Keep America Open Act. The bill would extend current spending rates through January 11th, 2024, giving legislators additional time to work out deals on the twelve spending bills or, historically an easier effort, an omnibus spending bill. Additional spending is provided for FEMA’s disaster relief programs and support for Ukraine. The bill does include some minor immigration measures as well as extensions for a number of programs.

Moving Forward

Bacon is not a member of the House Appropriations Committee to which this bill was assigned for consideration, but one of his cosponsors {Rep Case (D,HI)} is. This would mean, in the normal course of events, that there could be sufficient influence to see the bill considered in Committee. Unfortunately, there is nothing normal about the situation the House faces with spending bills. None of the normal legislative considerations apply.

Commentary

The only way that this bill will move forward is for Speaker McCarthy (R,CA) to realize that there is no way that the Republicans are going to be able to consolidate behind a spending bill of any kind. Passage of this bill would require substantial Democratic support as more than just the Republican 11 are going to vote against it. That would cause further problems between McCarthy and powerful Republican fringe.

I do not think that this bill will reach the floor of the House, but if the House initiates a continuing resolution that makes it to the floor for consideration, it will look something like this. More likely, the Senate will pass a CR (based on HR 3529, the FAA reauthorization bill) that is scheduled to be considered there this week. Still not sure how that bill gets to the floor of the House for a vote….

 

For more details about the provisions of the legislation, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5672-introduced - subscription required.

Saturday, September 23, 2023

Review - House to Try Spending Bills Yet Again – DOD, DHS, State, and ARD -

Well, as I mentioned yesterday, it was rinse and repeat on the floor of the House today. The House convened at 10:00 am EDT and then recessed at 10:33 subject to the call of the chair (after minor housekeeping). The House then reconvened at 1:47 pm EDT, agreed to meet next on Tuesday at 2:00 pm (Yom Kippur effectively blocks meetings on Sunday and Monday). Again, the whole charade was to allow the House Rules Committee to meet to formulate a rule that could be considered on Tuesday.

Rule for Considering Spending Bills

The Rules Committee did also reconvene, and it did formulate a single rule by which the following FY 2024 spending bills will be considered starting Tuesday:

HR 4365, DOD,

HR 4367, DHS,

HR 4665, State, and

HR 4368, ARD

Moving Forward

Sometime on Tuesday morning, the House will probably begin the debate on the rule for the consideration of these four spending bills. Twice this summer similar rules were pulled before the debate could begin because the Republican leadership counted heads and determined that they would not pass. Earlier this month, the leadership ignored their head counting and allowed similar rules to be debated and votes to proceed; they lost both votes because of defections of five or six Republicans. I have yet to see anything that would indicate that there was a significant chance that the leadership would now be able to convince essentially all Republicans to vote for this rule.

 

For more details about the provisions of the rule adopted today, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/house-to-try-spending-bills-yet-again - subscription required.

Review - 2023 CSS Presentation Slides Published

This week CISA updated their Chemical Security Summit page, adding a link to select presentation slides from the recent Summit. CISA, as has been their practice over the years, only makes slides available for select presentations.

Commentary

I have been following the Chemical Sector Security Summit (shortened recently to just Chemical Security Summitt) since 2009. The data density on the published slides has generally increased over time. From a live presentation point of view that is a bad thing because the audience pays more attention to reading the slides than they do listening to the presenter. But for attendees going back to review the data presented, or for people who missed the presentation, the higher data density is a good thing.

 

For more details about the available presentations, including summaries of selected presentations, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2023-css-presentation-slides-published - subscription required.

Chemical Incident Reporting – Week of 9-16-23

NOTE: See here for series background.

Holland, MI – 9-15-23

Local news reports: Here, here, and here.

Construction accident at new battery manufacturing facility during pressure relief after pipe testing, 1 dead.

Possible CSB reportable, if the physical failure of the piping support was the result of the discharge of pressure to atmosphere, this would most likely be a reportable incident.

Review – Public ICS Disclosures – Week of 9-16-23

This week we have 15 vendor disclosures from Fauscher, GE Gas Power, HPE (4), Ingeteam, Mitsubishi, Phoenix Contact, QNAP (3), Schweitzer Engineering Labs (2), and Zyxel. There are five vendor updates for products from Broadcom (2) and Palo Alto Networks (3). There are also two researcher reports for products from Atos and Royal Aps. Finally, we have an exploit for products from Ivanti.

Advisories

Frauscher Advisory – CERT-VDE published an advisory that describes three vulnerabilities in their FDS101 for FAdC/FAdCi product.

GE Advisory - GE published an advisory that discusses seven vulnerabilities in the Nozomi Guardian/CMC.

HPE Advisory #1 - HPE published an advisory that discusses two vulnerabilities in their NonStop Products.

HPE Advisory #2 - HPE published an advisory that describes four incomplete cleanup vulnerabilities in their NonStop Products.

HPE Advisory #3 - HPE published an advisory that discusses two improper initialization vulnerabilities in their ProLiant AMD XL Servers.

HPE Advisory #4 - HPE published an advisory that discusses two improper initialization vulnerabilities in their ProLiant AMD DL Servers.

Ingeteam Advisory - Incibe-CERT published an advisory that describes three input validation vulnerabilities in the Ingeteam INGEPAC DA3451 and INGEPAC FC5066.

Mitsubishi Advisory - Mitsubishi published an advisory that describes an incorrect default permissions vulnerability in their FA Engineering Software products.

QNAP Advisory #1 - QNAP published an advisory that describes a classic buffer overflow vulnerability in their Multimedia Console products.

QNAP Advisory #2 - QNAP published an advisory that describes a classic buffer overflow vulnerability in their legacy versions of QTS products.

QNAP Advisory #3 - QNAP published an advisory that discusses three vulnerabilities in their QTS, QuTS hero, and QuTScloud.

SEL Advisory #1 - SEL published an advisory that reports vulnerabilities in their Protocol Services.

SEL Advisory #2 - SEL published an advisory that reports vulnerabilities in their Blueframe OS.

Zyxel Advisory - Zyxel published an advisory that discusses the report of a 2017 vulnerability in their EMG2926-Q10A product being listed on  CISA Known Exploited Vulnerabilities (KEV) catalog.

Updates

Broadcom Update #1 - Broadcom published an update for their Apache HTTP Server advisory that was originally published on August 1st, 2023.

Broadcom Update #2 - Broadcom published an update for their HTTP Server advisory that was originally published on August 1st, 2023.

Palo Alto Networks Update #1 - Palo Alto Networks published an update for their TunnelCrack vulnerabilities advisory that was originally published on August 16th, 2023 and most recently updated on August 21st.

Palo Alto Networks Update #2 - Palo Alto Networks published an update for their Cortex XDR Agent advisory that was published on September 9th.

Palo Alto Networks Update #3 - Palo Alto Networks published an update for their BGP Software advisory that was published on September 13th, 2023.

Reports

Atos Report - SEC Consult published a report describing two vulnerabilities in the Atos Unify OpenScape. The report includes proof-of-concept code.

Royal Aps Report - Zero Science published a report that describes a heap memory corruption vulnerability in the Royal Apps RoyalTSX remote access tool.

Exploit

Ivanti Exploit - Ege Balci published a Metasploit module for an out-of-bounds write vulnerability in the Ivanti Avalanche MDM.

 

For more details about these disclosures, including links to 3rd party advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-53a - subscription required.

 
/* Use this with templates/template-twocol.html */