Short Takes – 12-3-24

Code found online exploits LogoFAIL to install Bootkitty Linux backdoor. ArsTechnica.com article. Pull quote: ““LogoFAIL was a theoretical vulnerability, and the PoC was not weaponized,” Binarly founder and CEO Alex Matrosov wrote in an interview, referring to the proof-of-concept code released by Binarly as part of the company's earlier disclosure. “This discovery shows the issues, which are hard to fix around the ecosystem, could be exploited in the wild and weaponized. The funny part is it's almost a year since we disclosed it publicly, and this happens now when threat actors have adopted it.””

Saturn’s rings will ‘disappear’ next year: Here’s why. TheHill.com article. Pull quote: ““Unfortunately, Saturn will be very close to the Sun in the sky in March, so it will be difficult to catch this from small telescopes,” she said. “However, because the Earth’s orbit is short, a similar geometry will occur in November, when Saturn is easier to view, but it won’t be quite as edge-on as in March, so the rings may be barely visible.””

Trump Labor pick surprises unions, rattles business. TheHill.com article. Pull quote: ““Trump has been very transactional,” Arthur Wheaton, director of labor studies at the Cornell School of Industrial and Labor Relations’s Buffalo Co-Lab, said in an interview. “Labor, in some small part, helped him get across the finish line, and he took the advice from Sean O’Brien [Teamsters President]. … I think that’s who was whispering in his ear.””

Raw milk producer optimistic after being shut down for bird flu detection. ArsTechnica.com article. Pull quote: “According to a November 27 alert by the California health department, officials in Santa Clara County found evidence of bird flu virus in retail samples of a batch of Raw Farm's milk, which has been recalled. It is the second time that retail testing has turned up positive results for the company and spurred a recall. The first contaminated batch was reported on November 24. The two recalled batches are those with lot codes 20241109 ("Best By" date of November 27, 2024) and 20241119 (Best By date of December 7, 2024).”

China Bans Rare Mineral Exports to the U.S. NYTimes.com article (free). Pull quote: “The United States could be somewhat less vulnerable to China’s measures now than Japan was then. Many chemical factories in the United States have closed in recent decades, so the country already buys semi-processed materials from countries other than China.”

CISA Adds Zyxel Vulnerability to KEV Catalog – 12-3-24

Today CISA announced that it had added three new vulnerabilities to their Known Exploited Vulnerabilities catalog. Included is a previously fixed path traversal vulnerability in the Zyxel firewall products that was originally reported as being exploited by Sekoia.io blog. CISA is ordering federal agencies to apply “mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.” A compliance deadline has been set for December 24^th, 2024.

NOTE: I briefly discussed this vulnerability on Saturday.

CISA added a comment to today’s announcement that provided additional information on two Palo Alto Networks vulnerabilities previously added to the KEV catalog: CVE-2024-0012 and CVE-2024-9474. They reported that Palo Alto Networks now has additional information about the exploits of these two vulnerabilities:

• Palo Alto Security Bulletin for CVE-2024-0012, and

• Palo Alto Security Bulletin for CVE-2024-9474 

Review – 6 Advisories and 2 Updates Published – 12-3-24

Today CISA’s NCCIC-ICS published six control system security advisories for products from Fuji Electric (2), ICONICS (and Mitsubishi), Open Automation, Siemens, and Ruijie. They also updated advisories for products from ICONICS (and Mitsubishi) and ETIC.

Advisories

Fuji Advisory #1 - This advisory describes five vulnerabilities in the Fuji Electric Tellus Lite V-Simulator.

Fuji Advisory #2 - This advisory describes 10 out-of-bounds write vulnerabilities in the Fuji Electric Monitouch V-SFT screen configuration software.

ICONICS Advisory - This advisory describes three vulnerabilities in the ICONICS GENESIS64 and Mitsubishi MC Works64 products.

Open Automation Advisory - This advisory describes an incorrect execution-assigned privileges vulnerability in the Open Automation Software package.

Siemens Advisory - This advisory discusses four vulnerabilities (two listed in CISA’s Known Exploited Vulnerabilities catalog) in the Siemens RUGGEDCOM APE1808 products.

Ruijie Advisory - This advisory describes ten vulnerabilities in the Ruijie Reyee OS.

Updates

ICONICS Update - This update provides additional information on the ICONICS and Mitsubishi advisory that was originally published on July 2^nd, 2024.

ETIC Update - This update provides additional information on the Remote Access Server advisory that was originally published on November 3, 2022, and most recently updated on July 27^th, 2023.

 

For more information on these advisories, including links to 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-and-2-updates-published-ee4 - subscription required.

OMB Approves EPA’s TSCA Update Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the EPA on “Updates to New Chemicals Regulations Under the Toxic Substances Control Act (TSCA)”. The final rule was sent to OIRA on May 20^th, 2024. The notice of proposed rulemaking (NPRM) was published on May 26^th, 2023.

According to the Spring 2024 Unified Agenda entry for this rulemaking:

“EPA is reviewing public comments on the proposed amendments to the new chemicals procedural regulations under the Toxic Substances Control Act (TSCA) in 40 CFR parts 720, 721, 723, and 725. These amendments are intended to align the regulatory text with the statutory amendments that were made to TSCA in 2016 that impact the TSCA new chemicals review provisions, improve the efficiency of EPA's review processes, and update the regulations based on existing policies and experience implementing the New Chemicals Program. The proposal includes amendments that would reduce the need to redo all or part of the risk assessment by improving information initially submitted in new chemicals notices, which should also help reduce the length of time that new chemicals notices are under review. EPA is also proposing several amendments to the regulations for low volume exemptions (LVEs) and low release and exposure exemptions (LoREXs), which include requiring EPA approval of an exemption notice prior to commencement of manufacture, making per- and polyfluoroalkyl substances (PFAS) categorically ineligible for these exemptions, and providing that certain persistent, bioaccumulative, toxic (PBT) chemical substances are ineligible for these exemptions, consistent with EPA's 1999 PBT policy.”

There were 51 comments received by the EPA on the NPRM for this action. There were detailed comments from a wide range of industries, environmental organizations, and private individuals that the EPA had to address in writing this final rule. There will inevitably be changes made to the NPRM’s language.

This is another rule that will likely run afoul of President Trump’s less than supportive environmental agenda. See my earlier post for the likely outcome. So why publish this rule? It will give the 48^th President, if environmentally inclined, a quick rule to put back into place to re-establish environmental controls erased by Trump.

I will probably not be covering this rulemaking in any detail. I will, at least, mention its publication in the appropriate ‘Short Takes’ notice.

OMB Approves EPA PCE TSCA Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the EPA on “Perchloroethylene (PCE); Regulation under the Toxic Substances Control Act (TSCA)”. The final rule was sent to OIRA on May 30^th, 2024. The notice of proposed rulemaking was published on June 16^th, 2023.

According to the Spring 2024 Unified Agenda entry for the rulemaking:

“On June 16, 2023, EPA proposed a rule under the Toxic Substances Control Act (TSCA) to address the unreasonable risk of injury to human health presented by perchloroethylene (PCE). PCE is a widely used solvent in a variety of occupational and consumer applications including fluorinated compound production, petroleum manufacturing, dry cleaning, and aerosol degreasing. EPA determined that PCE presents an unreasonable risk of injury to health due to the significant adverse health effects associated with exposure to PCE, including neurotoxicity effects from acute and chronic inhalation exposures and dermal exposures, and cancer from chronic inhalation exposures to PCE. TSCA requires that EPA address by rule any unreasonable risk of injury to health or the environment identified in a TSCA risk evaluation and apply requirements to the extent necessary so the chemical no longer presents unreasonable risk. PCE, also known as perc and tetrachloroethylene, is a neurotoxicant and a likely human carcinogen. Neurotoxicity, in particular impaired visual and cognitive function and diminished color discrimination, are the most sensitive adverse effects driving the unreasonable risk of PCE, and other adverse effects associated with exposure include central nervous system depression, kidney and liver effects, immune system toxicity, developmental toxicity, and cancer. To address the identified unreasonable risk, EPA is proposing to prohibit most industrial and commercial uses of PCE; the manufacture (including import), processing, and distribution in commerce of PCE for the prohibited industrial and commercial uses; the manufacture (including import), processing, and distribution in commerce of PCE for all consumer use; and, the manufacture (including import), processing, distribution in commerce, and use of PCE in dry cleaning and related spot cleaning through a 10-year phaseout. For certain conditions of use that would not be subject to a prohibition, EPA is also proposing to require a PCE workplace chemical protection program that includes requirements to meet an inhalation exposure concentration limit and prevent direct dermal contact. EPA is also proposing to require prescriptive workplace controls for laboratory use, and to establish recordkeeping and downstream notification requirements. Additionally, EPA proposes to provide certain time-limited exemptions from requirements for certain critical or essential emergency uses of PCE for which no technically and economically feasible safer alternative is available. The Agency’s development of this rule incorporated significant stakeholder outreach and public participation, including public webinars and over 40 external meetings as well as required Federalism, Tribal, and Environmental Justice consultations and a Small Businesses Advocacy Review Panel. EPA's risk evaluation for PCE, describing the conditions of use is in docket EPA-HQ-OPPT-2019-0502, with the 2022 unreasonable risk determination and additional materials in docket EPA-HQ-OPPT-2016-0732.”

This final rule will almost certainly be negated by the Trump Administration soon after January 20^th. An executive order stopping any number of regulations that have yet to become effective by January 20^th is expected on January 20^th, or 21^st. Similar actions were taken by the incoming Biden Administration in January 2021. Rolling back other recently adopted regulations will take more time.

I do not expect to cover this rulemaking in any detail here, but I do expect to announce its publication in the appropriate ‘Short Takes’ post.

TSA Sends Real ID Implementation Final Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule on “Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Phased Approach for Card-Based Enforcement”. The notice of proposed rulemaking (NPRM) for this action was published on September 12^th, 2024.

According to the Spring 2024 Unified Agenda entry for this rulemaking (see note below):

“TSA will issue an NPRM that would explicitly allow some Federal agencies to implement the card-based enforcement provisions of the REAL ID regulations under a phased approach beginning on the May 7, 2025, enforcement deadline for REAL ID compliance.  TSA intends to propose a framework under which agencies may exercise enforcement discretion through implementation of a phased enforcement plan that takes into consideration REAL ID-compliant card adoption rates, security, and operational feasibility.  To ensure that agencies’ enforcement plans consistently and appropriately advance the objectives of the REAL ID regulations, this rule would require agencies’ plans be coordinated with DHS and that full enforcement is in place by May 5, 2027.  Through this rule, DHS seeks to ensure that Federal agencies are well-positioned to begin enforcing the REAL ID regulations on May 7, 2025, in a manner that meets the objectives of the REAL ID Act and regulations while ensuring that agencies have flexibility to begin enforcement in a manner that minimizes operational and security risks to the Federal agencies and the public.  As TSA continues to develop this regulation, we seek to engage Federal agencies, State and territorial licensing jurisdictions, and members of the public affected by implementation of REAL ID requirements.”

NOTE: Obviously, the Spring 2024 Unified Agenda was published well before the NPRM for this rulemaking was published. That is why there is a significant disconnect between the information provided in that entry and what we should expect from the final rule. The important piece of information in that entry is that the REAL ID Act regulations go into effect on May 7^th, 2025. This rulemaking was designed to ease and coordinate that transition.

It is interesting to note that there were over 11,000 comments submitted on the NPRM. It appears that a significant number of (probably most, but I certainly have not read each and every one) object to the Real ID regulations, not this implementation rule. For example, one anonymous commentor stated: “I do not support the real ID. I feel it is significant government over reach and will limit individual freedoms.” This would be part and parcel of an overweening objection to a ‘national ID card’ by most libertarians and conservatives, even though the ID cards will continue to be issued and administered by State governments.

I will not be covering this rule in any detail, but I will be mentioning its publication in the appropriate ‘Short Takes’ post.