Tuesday, February 11, 2025

Short Takes – 2-11-25

New type of painkiller approved in US. ChemistryWorld.com article. Pull quote: “Journavx will be more expensive than opioids, which could cause conflicts over access depending on health insurers and national providers’ willingness to cover the cost. ‘Post-operative pain management is usually bundled into surgical costs, and this drug is expensive compared to opiates,’ says Cohen. ‘It therefore might not be used because it eats into hospital profits.’ It may be unavailable or approved only for specific indications in some hospitals, he adds.”

The dream of offshore rocket launches is finally blasting off. TechnologyReview.com article. Pull quote: “But at the moment, sea-based launches are limited to small rockets that can deploy payloads of a few thousand pounds to orbit. No ocean spaceport is currently equipped to handle the world’s most powerful rockets, like SpaceX’s Falcon Heavy, which can deliver more than 140,000 pounds to orbit. There are also currently no public plans to invest in sea-based infrastructure for heavy-lift rockets, but that may change if smaller offshore spaceports prove to be reliable and affordable options.”

Bird flu confirmed in Nevada dairy worker. TheHill.com article. Pull quote: “The individual had conjunctivitis, commonly called pink eye, and no other reported symptoms.”

Getting rid of the penny introduces a new problem: nickels. CNN.com article. Pull quote: “One reason that the government has to make so many pennies every year is a large percentage of them don’t remain in circulation. They are stashed in penny jars or junk drawers at home. Or they fall on the ground and people don’t even bother to pick them up.”

ULA’s Vulcan rocket still doesn’t have the Space Force’s seal of approval. ArsTechnical.com article. Pull quote: “The good news is that United Launch Alliance has an inventory of rockets awaiting an opportunity to fly. The company plans to finish manufacturing its remaining 15 Atlas V rockets within a few months, allowing the factory in Decatur, Alabama, to focus solely on producing Vulcan launch vehicles. ULA has all the major parts for two Vulcan rockets in storage at Cape Canaveral.”

NASA, SpaceX Update Crew-10 Launch, Crew-9 Return Dates. Blogs.NASA.gov blog post. Pull quote: “After Crew-10 arrives to the space station, Crew-9 will help the newly arrived crew familiarize with ongoing science and station maintenance work, which supports a safer transition of operations aboard the orbital complex. Following the handover, NASA and SpaceX will prepare to return to Earth NASA astronauts Nick Hague, Suni Williams, and Butch Wilmore, along with Roscosmos cosmonaut Aleksandr Gorbunov aboard Crew-9 pending weather conditions at the splashdown sites off the coast of Florida.”

House GOP skeptical it can advance Trump agenda by week’s end. TheHill.com article. Budget Committee markup hearing on Thursday. Pull quote: “Arrington’s [Rep (R,TX)] blueprint included a $4.5 trillion budgetary cap on how much it would cost to extend Trump’s 2017 tax cuts, a figure Smith said wouldn’t be enough. It also outlined a $1.5 trillion floor for spending cuts with a target of cutting $2 trillion.” Those figures are already be questioned by House Ways and Means Committee Chair.

Lawsuits Related to Trump Admin Actions. CourtWatch.news list of court cases with links.

EO 14200 - Amendment to Duties Addressing the Synthetic Opioid Supply Chain in the People's Republic of China. Federal Register.

EO 14201 - Keeping Men Out of Women's Sports. Federal Register.

CISA Adds 2 Zyxel Vulnerabilities to KEV Catalog – 2-11-25

Today CISA added two OS command injection vulnerabilities in the Zyxel VMG4325-B10A wireless N VDSL2 bonding combo WAN Gigabit gateway. These vulnerabilities were previously reported by Zyxel on February 4th, 2025. Zyxel reports that the affected products are end-of-life (and have been for a while) and no fix is planned. The vulnerabilities were reported to Zyxel last year by VulnCheck and GreyNoise.

Since the affected products are EOL, CISA directs federal agencies to “discontinue product utilization if a current mitigation is unavailable.” A deadline of March 4th, 2025 has been established for agencies to stop using the affected products.

Review – 2 Updates Published – 2-11-25

Today CISA’s NCCIC-ICS published updates for two control system security advisories for products from Trimble and 2N.

Updates

Trimble Update - This update provides additional information on the Cityworks advisory that was originally published on February 6th, 2025.

2N Update - This update provides additional information on the Access Commander advisory that was originally published on November 14th, 2024.

 

For more information on these updates, including a down-the-rabbit-hole look at the Trimble vulnerability, see my article at CFSN Detailed Analysis - https://tinyurl.com/2dmu636x - subscription required.

Review - Bills Introduced – 2-10-25

Yesterday, with both the House and Senate in session, there were 46 bills introduced. One of those bills will receive additional coverage in this blog:

HR 1154 To direct the Secretary of Homeland Security to issue guidance with respect to space systems, services, and technology as critical infrastructure, and for other purposes. Calvert, Ken [Rep.-R-CA-41]

 

For more information on this bill, and a brief history of a similar bill in the 118th, along with a bills mentioned-in-passing note, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-2-10-25 - subscription required.

OPM Sends New Civil Service Rule to OMB

Yesterday OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking (NPRM) from the Office of Personnel Management (OPM) on “Improving Performance, Accountability and Responsiveness in the Civil Service”. This rulemaking was not listed in the Fall 2024 Unified Agenda.

While there are any number of reasons that an NPRM would not have been listed in the latest Unified Agenda, I suspect that this is a de novo rule from the Trump administration directed at their concerns about the ‘deep state’. I do not expect to cover this rulemaking in any depth, but I will be watching this to see how fast this rule makes it through the regulatory process.

Monday, February 10, 2025

Short Takes – 2-10-25

Expired and Expiring Authorizations of Appropriations for Fiscal Year 2024. CBO.gov report. Summary: “The Congressional Budget Office tracks authorizations of appropriations that have specified expiration dates and identifies, annually, appropriations that are provided for authorizations that have expired or that will expire by the end of the current fiscal year. For this report, CBO identified 1,264 authorizations of appropriations that expired before the beginning of fiscal year 2024 and 251 authorizations that are set to expire before the end of the fiscal year. CBO also found that $516 billion in appropriations for 2024 was associated with 491 expired authorizations of appropriations.”

White House budget proposal could shatter the National Science Foundation. ArsTechnica.com article. Pull quote: “On Thursday, two sources told Ars that the science agency should expect to see steep cuts in Trump's forthcoming budget request. In recent years, the National Science Foundation has received an annual budget of approximately $9 billion, the vast majority of which is spent on research and research-related activities. The cuts could be as deep as 66 percent, with one person indicating the top-line budget number for the National Science Foundation could start at $3 billion.”

Bird flu variant found in Nevada cows shows signs of adaptation to mammals. CNN.com article. Pull quote: “Most bird flu infections in dairy cattle in the US have been the B3.13 variant, or what’s become known as the “cattle clade.” Researchers aren’t sure how the D1.1 variant was transmitted to the Nevada cows. Dairy farmers with infected herds reported large die-offs of wild birds near their farms before their cows got sick, according to the USDA.”

The Occurrence of Another Highly Pathogenic Avian Influenza (HPAI) Spillover from Wild Birds into Dairy Cattle. APHIS.USDA.gov report. Pull quote: “While genotype D1.1 has been the dominant strain circulating in migratory wild birds across all four North American flyways during the winter of 2024-2025, these Nevada cases represent the first detection of a genotype other than B3.13 in U.S. dairy cattle and the second known spillover from wild birds into lactating dairy cattle.”

The NSA's "Big Delete". Popular.info article. Pull quote: “One example included a job listing page for the Department of Homeland Security that removed language about maintaining an “inclusive environment.” The Post also found examples of words being removed that had nothing to do with DEI, such as a page on the Department of the Interior’s website that boasted of its museums' “diverse collections,” removing the word “diverse.””

Seed oil-based polymer should survive a day in the rain but degrade within years in the sea. ChemistryWorld.com article. Pull quote: “The resulting polyesteramides had good thermal and mechanical properties, and melting temperatures equal to or surpassing those of some commercial plastics. ‘It was really interesting that they were able to make bioderived polyesteramides that had thermal properties comparable to common commodity plastics that we’re going to need to transition away from, like low-density and high-density polyethylene,’ comments Clare Mahon, a biodegradable polymers expert at the University of Durham in the UK.”

Trump might be stuck with Biden’s funding priorities for longer than GOP hoped. TheHill.com article. Pull quote: “House Appropriations Committee Chair Tom Cole (R-Okla.) said this week that the appetite is “growing” for a funding stopgap, also known as a continuing resolution (CR), that runs through September, as lawmakers run months behind in finishing up their funding bills for fiscal 2025.”

EO 14196 - A Plan for Establishing a United States Sovereign Wealth Fund. Federal Register.

EO 14197 - Progress on the Situation at Our Northern Border. Federal Register.

EO 14198 - Progress on the Situation at Our Southern Border. Federal Register.

EO 14199 - Withdrawing the United States From and Ending Funding to Certain United Nations Organizations and Reviewing United States Support to All International Organizations. Federal Register.

Review – Committee Hearings – Week of 2-9-25

This week with both the House and Senate in Washington, the hearing schedule picks up a bit over last week. There is one hearing in the House on port security issues. The Senate continues their work on presidential nominations, but they do expand the list of topics covered, including an FY 2025 budget resolution markup.

Port Security

On Tuesday the Subcommittee on Transportation and Maritime Security of the House Homeland Security Committee will hold a hearing on “Examining the PRC's Strategic Port Investments in the Western Hemisphere and the Implications for Homeland Security, Part I”.

Nomination Hearings

On Thursday, the Senate Judiciary Committee is scheduled to hold a business meeting to vote on the Patel nomination.

There are two other nomination hearings scheduled this week for committees to hear testimony from the nominees:

Health, Education, Labor, and Pensions - Lori M. Chavez-DeRemer to serve as Secretary of Labor, and

Health, Education, Labor, and Pensions - Linda McMahon to serve as Secretary of Education

Budget Hearings

On Wednesday and Thursday the Senate Budget Committee is scheduled to hold a business meeting to conduct a markup of their version of the FY 2025 Budget.

 

For more information about these hearings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-2-9-25 - subscription required.

Review - ChemLock and Information Sharing

This is part of a series of blog posts looking at the potential for the authorization of CISA’s existing ChemLock program and using it as a voluntary replacement for the now defunct Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in this series include:

CFATS is Dead,

Making ChemLock Safety Act Compliant – ChemLock Program Background,

ChemLock and Tiering,

Reader Comment – TSDB Screening for ChemLock,

ChemLock and TSDB Screening,

ChemLock and Risk Based Performance Standards,

ChemLock and Chemical-Terrorism Vulnerability Information.

NOTE: Previous articles in this series have been removed from the CFSN Detailed Analysis paywall.

The CFATS program handled a lot of sensitive information that was categorized as Chemical-Terrorism Vulnerability Information (CVI). In order to limit the exposure of that information, DHS established the Chemical Security Assessment Tool (CSAT) as a secure, on-line portal for facilities to share sensitive information with the regulators and provided a secure method for facilities to receive CVI information from DHS. If the ChemLock program is going to be upgraded to serve as a voluntary replacement for the CFATS program, a similar secure information sharing system will have to be employed to protect the information sharing required to implement that expanded program.

An authorized ChemLock program could use the security information sharing tool developed for the CFATS program as the backbone for the upgraded voluntary ChemLock program and provide a means for facilities and CISA to share chemical security intelligence information. While the Safety Act certification process would be a primary incentive for facilities to formally involve themselves in the ChemLock program, a secure source of chemical security information would also provide an additional incentive for facilities to join ChemLock, expanding the reach of the voluntary program.

 

For more information about using the CSAT backbone to provide an information sharing environment, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-and-information-sharing - subscription required.

Sunday, February 9, 2025

Legislative Housekeeping, 118th Congress – 2-9-25

This week the GPO printed the text of one of the last two bills that I am tracking from the 118th Congress:

S 5468, the Coast Guard Authorization Act of 2024

The GPO is continuing to have problems keeping up with the number of bills being introduced in the 119th Congress. There have been 1,864 bills introduced so far this session. I am currently tracking 30 of those bills. Only six of those bills have had the text printed (3 are disapproval resolutions that are extremely short). The earliest date of the bills without text is January 17th. Interestingly, it seems that the backlog is worse in the House introduced bills than in those from the Senate, the oldest un-texted bill in the Senate that I am following is January 25th.

Saturday, February 8, 2025

CRS Reports – Week of 2-1-25 – DOGE

This week the Congressional Research Service (CRS) published a report on “Department of Government Efficiency (DOGE) Executive Order: Early Implementation”. It provides a well anotated brief background of the history of the US Digital Service (USDS) formed under President Obama that President Trump has used as the legal framework for the operations of the DOGE. It discusses the three Executive Orders that direct how DOGE will operate and what the organizational objectives are.

There is not a great deal of information on the first two weeks of operation of DOGE, but it does provide a series of questions that Congress would probably want answered about the new agency.

A brief reminder, the CRS serves as a research agency designed to provide background information to members of Congress and their staffs to better inform congressional legislative and oversight efforts.

Review - Bills Introduced – 2-7-25

Yesterday, with just the House in session, there were 46 bills introduced. One of those bills will receive additional coverage in this blog:

HR 1126 To require a study on public health impacts as a consequence of the February 3, 2023, train derailment in East Palestine, Ohio. Joyce, David P. [Rep.-R-OH-14]

 

For more information on this bill, and the previous versions that were proposed in the 118th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-2-7-25 - subscription required.

Chemical Incident Reporting – Week of 2-1-25

NOTE: See here for series background.

Martinez, CA – 2-1-25

Local News Report: Here, here, and here.

There was fire at a refinery. Six people were injured, three were transported to the hospital. There has not been any description of the damage to the refinery, but it is extensive.

CSB reportable.

Clairton, PA– 1-5-25

Local News Report: Here and here.

There was an explosion in a coke battery that injured two workers. Both were transported to the hospital, treated for minor eye injuries and released.

Probably not CSB reportable unless damages were high.

Review – Public ICS Disclosures – Week of 2-1-25

This week we have 19 vendor disclosures from ABB, Broadcom, Delta, HP (4), HPE (4), Meinberg, Moxa (2), Supermicro, WAGO (2), WithSecure, and Zyxel. We have two vendor updates from Broadcom and HP. Finally, there are also eleven researcher reports of vulnerabilities in products from ABB (8), Four-Faith (2), and Sensaphone.

Advisories

ABB Advisory - ABB published an advisory that describes a use of hard-coded credentials vulnerability (with publicly available exploit) in their ASPECT Energy Management System.

Broadcom Advisory - Broadcom published an advisory that discusses 25 Ivanti product vulnerabilities.

Delta Advisory - Delta published an advisory that describes a heap-based buffer overflow vulnerability in their CNCSoft-G2 product.

HP Advisory #1 - HP published an advisory that describes an improper handling of unexpected data type vulnerability in their LaserJet Pro Printers.

HP Advisory #2 - HP published an advisory that discusses two vulnerabilities in their Business Notebook products.

HP Advisory #3 - HP published an advisory that describes a path traversal vulnerability in their Poly Edge E devices.

HP Advisory #4 - HP published an advisory that describes an improper check for dropped privileges vulnerability in their Anyware Agent for Linux product.

HPE Advisory #1 - HPE published an advisory that discusses the BadRAM vulnerability in their HPE ProLiant Servers. This is a third-party (AMD) vulnerability.

HPE Advisory #2 - HPE published an advisory that discusses a protection measure failure vulnerability in their ProLiant DX Servers.

HPE Advisory #3 - HPE published an advisory that discusses an incorrect behavior order vulnerability in their ProLiant DX Servers.

HPE Advisory #4 - HPE published an advisory that discusses an improper verification of cryptographic signature vulnerability (with publicly available exploit) in their ProLiant AMD Servers.

Meinberg Advisory - Meinberg published an advisory that discusses four vulnerabilities in their LANTIME firmware.

Moxa Advisory #1 - Moxa published an advisory that describes an improper validation of specified type of input vulnerability in multiple Moxa switches.

Moxa Advisory #2 - Moxa published an advisory that describes an out-of-bounds write vulnerability in multiple Moxa switches.

Supermicro Advisory - Supermicro published an advisory that discusses an improper verification of cryptographic signature vulnerability (with publicly available exploit) in unnamed Supermicro products.

WAGO advisory #1 - CERT-VDE published an advisory that discusses an OS command injection vulnerability in multiple WAGO products.

WAGO Advisory #2 - CERT-VDE published an advisory that discusses an incorrect calculation of buffer size vulnerability in multiple WAGO products.

WithSecure Advisory - WithSecure published an advisory that describes a denial of service vulnerability in multiple WithSecure products.

Zyxel Advisory - Zyxel published an advisory that describes three vulnerabilities in multiple legacy DSL CPE models.

Updates

Broadcom Update - Broadcom published an update for their GridGain Security advisory that was originally published on October 16th, 2024.

HP Update - HP published an update for their AMD Graphics Driver advisory that was originally published on August 13th, 2024, and most recently updated on October 10th, 2024.

Researcher Report

ABB Reports - Zero Science published eight reports about vulnerabilities in the ABB Cylon FLXeon BACnet controller.

Four-Faith Report #1 - VulnCheck published a report about a use of hard-coded credentials vulnerability in the Four-Faith F3x36 router.

Four-Faith Report #2 - VulnCheck published a report about a hidden functionality vulnerability in the Four-Faith F3x36 router.

Sensaphone Report - Tyler Butler published a report that describes a stored cross-site scripting vulnerability (with a publicly available exploit) in the Sensaphone WEB600 Monitoring System.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-335 - subscription required.

Friday, February 7, 2025

Short Takes – 2-7-25

Speaker Johnson: House lawmakers to work through weekend amid Trump agenda stalemate. TheHill.com article. Does not sound like the Pull quote: ““There’s going to be real, dramatic growth in the economy for individual families, more money in somebody’s paycheck, and ultimately that will be quantified. But CBO’s method of coming up with dynamic scoring on that is going to be different than OMB [the Office of Management and Budget] and other people. So we’re going to be looking at the most accurate models,” Scalise said.”

Politico publishes note ‘to set the record straight’ on government subscription outrage. TheHill.com article. Pull quote: ““POLITICO has been the subject of debate on X this week. Some of it has been misinformed, and some of it has been flat-out false. Let’s set the record straight,” the outlet wrote as part of a memo published on its website. “POLITICO is a privately owned company. We have never received any government funding — no subsidies, no grants, no handouts. Not one dime, ever, in 18 years.””

Europe has the worst imaginable idea to counter SpaceX’s launch dominance. ArsTechnica.com article. Pull quote: “It is difficult to see Airbus and some of the other large, institutional space companies in Europe banding together and becoming nimble and more efficient operators in spaceflight. That would require enormous changes in companies that have decades of ossified culture, with layers of management that are difficult to cut through.” Same could have been said about Boeing, ULA, and NASA five years ago, then SpaceX et al changed the environment, maybe Europe needs a European entrepreneurial startup.

German company Atmos launching 1st cargo-return capsule on upcoming SpaceX mission. Space.com article. Pull quote: “The initial version of the capsule can carry up to 220 pounds (100 kilograms) of goods down to Earth, but future iterations will be able to handle several tons — meaning they could transport objects as large as rocket stages, according to Atmos.”

Revisions to Maritime Security (MARSEC) Directive 104-6; Guidelines for U.S. Vessels Operating in High Risk Waters. Federal Register Coast Guard notice. Summary: “The Coast Guard announces the availability of Revision 9 to Maritime Security (MARSEC) Directive 104-6, which provides guidelines for U.S. vessels operating in high-risk waters (HRW) where acts of terrorism, piracy, and armed robbery against ships are prevalent. The directive contains security-sensitive information and, therefore, cannot be made available to the general public. U.S. vessel owners and operators who have needed to take action under previous versions of MARSEC Directive 104-6, should immediately contact their local Coast Guard Captain of the Port or District Commander for a copy of Revision 9. This revision contains important updates to HRW locations and organizational responsibilities regarding addressing security risks in those waters.” Effective date: January 10th, 2025.

EO 14193 - Imposing Duties to Address the Flow of Illicit Drugs Across Our Northern Border. Federal Register.

EO 14194 - Imposing Duties to Address the Situation at Our Southern Border. Federal Register.

EO 14195 - Imposing Duties to Address the Synthetic Opioid Supply Chain in the People's Republic of China. Federal Register.

CISA Adds Trimble Vulnerability to KEV Catalog – 2-7-25

Today CISA announced that it had added a deserialization of untrusted data vulnerability in the Trimble Cityworks products to their Known Exploited Vulnerabilities (KEV) catalog. This vulnerability was reported by Trimble. CISA published an advisory yesterday describing this vulnerability. Trimble has published a list of indicators of compromise.

CISA has directed Federal agencies utilizing the affected Trimble products to apply “mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.” CISA has set a deadline of February 28th, 2025, for such agencies to complete these actions.

Review - Bills Introduced – 2-5-25 (Senate Bills)

Congress.gov now has the 44 bills available that were introduced in the Senate during the extended session of February 5th, 2025. Six of those bills may receive additional coverage in this blog:

S 428 A bill to promote space situational awareness and space traffic coordination and to modify the functions and leadership of the Office of Space Commerce, and for other purposes. Cornyn, John [Sen.-R-TX]

S 431 A bill to amend section 1030 of title 18, United States Code, to include conspiracy in the offenses and penalties relating to computer fraud. Rounds, Mike [Sen.-R-SD] 

S 433 A bill to require the Secretary of Commerce to establish the National Manufacturing Advisory Council within the Department of Commerce, and for other purposes. Peters, Gary C. [Sen.-D-MI]

S 434 A bill to establish the Commercial Space Activity Advisory Committee, and for other purposes. Peters, Gary C. [Sen.-D-MI]

S 436 A bill to amend title 10, United States Code, to modify the organization and authorities of the Assistant Secretaries of Defense with duties relating to industrial base policy and homeland defense. Sullivan, Dan [Sen.-R-AK]

S 438 A bill to amend the Homeland Security Act of 2002 to provide for education and training programs and resources of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, and for other purposes. Rounds, Mike [Sen.-R-SD] 

 

For more details about these bills, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-2-5-25-senate-bills - subscription required.

Transportation Chemical Incidents – Week of 1-4-25

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 390 (354 highway, 32 air, 4 rail, 0 water)

• Serious incidents – 5 (5 Bulk release, 0 evacuation, 0 injury, 0 death, 0 major artery closed, 0 fire/explosion, 24 no release)

• Largest container involved – 32,900-gal 113C120W Railcar {Ethylene, Refrigerated Liquid (Cryogenic Liquid)} Overpressure venting.

• Largest amount spilled – 4,000-gal DOT 406 Tank Truck {Gasoline Includes Gasoline Mixed With Ethyl Alcohol, With Not More Than 10% Alcohol} Trailer damaged in roll-over truck accident.

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Trifluoroacetic Acid – A colorless fuming liquid with a pungent odor. Soluble in water and denser than water. Corrosive to skin, eyes and mucous membranes. Used to make other chemicals and as a solvent. (Source: CameoChemicals.NOAA.gov).



Thursday, February 6, 2025

Short Takes – 2-5-25

Dairy cows infected with second version of bird flu. WashingtonPost.com article (free). Pull quote: “The Animal and Plant Health Inspection Service, a division of the Agriculture Department, said [link added] the detection of this version of the virus was confirmed Jan. 31 after it was found in raw milk collected from a silo [for dairy herd in Nevada] as part of a national milk testing strategy begun last year by the USDA. Lakdawala, the Emory virologist, said more enhanced testing of raw milk collected from dairy farms and processors nationwide could determine if this second version of the virus is in cattle in other states, given how widespread the virus is in birds.”

The heist of 100,000 eggs in Pennsylvania becomes a whodunit that police have yet to crack. APNews.com article. Pull quote: “Four days after the theft that law enforcement say could be tied to the sky-high cost of eggs, no leads have come in, Trooper First Class Megan Frazer, a spokesperson for the Pennsylvania State Police, said Wednesday.”

Ukraine Needs U.S. Weapons. Trump Wants Its Rare Earth Minerals In Return. RFERL.org article. Pull quote: “It also has less-rare, more abundant minerals that are also coveted for use in technology and cutting-edge industries: lithium, for example, which is used widely in batteries of all sorts, and titanium, which is used in airplane manufacturing. Some estimates say the country's lithium deposits could be valued at billions of dollars.”

EO 14192 – Unleashing Prosperity Through Deregulation. Federal Register.

Review – Bills Introduced – 2-5-25

Yesterday, with both the House and Senate in session, there were 73 bills introduced. Actually, there were 117 bills introduced, but the 44 bills introduced in the Senate (according to the Congressional Record) were not reported by the Congress.gov website because of the all-night session held in the Senate. Of the 73 bills introduced in the House four will probably receive additional coverage in this newsletter:

HR 1000 To amend the Homeland Security Act of 2002 to provide for education and training programs and resources of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, and for other purposes. Green, Mark E. [Rep.-R-TN-7]

HR 1034 To amend the Homeland Security Act of 2002 to establish a DHS Cybersecurity On-the-Job Training Program, and for other purposes. Turner, Sylvester [Rep.-D-TX-18]

H Res 113 Directing the Secretary of Homeland Security to transmit to the House of Representatives certain documents relating to Department of Homeland Security policies and activities related to the security of Department information and data and the recruitment and retention of its workforce. Thompson, Bennie G. [Rep.-D-MS-2]

H Res 114 Directing the Secretary of Homeland Security to transmit to the House of Representatives certain documents relating to Department of Homeland Security policies and activities related to domestic preparedness and collective response to terrorism and the Department's cybersecurity activities. Thompson, Bennie G. [Rep.-D-MS-2]

 

For more information on these bills, including a brief history of similar bills introduced in the 118th, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-2-5-25 - subscription required. 

S 245 Ordered Reported Favorably in Senate - Insure Cybersecurity Act

Yesterday, the Senate Commerce, Science, and Transportation Committee held a business meeting to consider 17 pieces of legislation. Among those bills was S 245, the Insure Cybersecurity Act of 2025. According to yesterday’s Congressional Record the bill was ordered reported favorably without any amendments. No word is available in the CR or the meeting record about the type vote held on that order.

Once the Committee report is published (which could be months), the bill would be cleared for consideration before the full Senate. It is unlikely to be considered under regular order (too time consuming with too many nominations to consider). If it is considered it would be under the Senate’s unanimous consent process.

No committee action was taken on a similar bill, S 513, last session. This is not a Republican vs Democrat issue since the sponsor of the bill, Sen Hickenlooper (D,CO), is a Democrat. This seems more likely to be a change in focus of the new Republican Committee Chair, Sen Cruz (R,TX).

Review – 6 Advisories Published – 2-6-25

Today CISA’s NCCIC-ICS published four control system security advisories for products from Trimble, ABB, and Schneider (2). They also published two medical device security advisories for products from Orthanc and MicroDicom.

Advisories

Trimble Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Trimble Cityworks asset and work management system.

ABB Advisory - This advisory discusses a path traversal advisory in their Drive Composer products.

Schneider Advisory #1 - This advisory discusses an uncontrolled search path element vulnerability in their EcoStruxure products using FlexNet Publisher.

Schneider Advisory #2 - This advisory describes a deserialization of untrusted data vulnerability in the Schneider EcoStruxure Power Monitoring Expert.

Orthanc Advisory - This advisory describes a missing authentication for critical function vulnerability in the Orthanc Server.

MicroDicom Advisory - This advisory describes an improper certificate validation vulnerability in the MicroDicom DICOM Viewer.

 

For more information on these advisories, including links to 3rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-published-2-6-25 - subscription required.

Review – S 245 Introduced – Insure Cybersecurity

Last month, Sen Hickenlooper (D,CO) introduced S 245, the Insure Cybersecurity Act of 2025. The bill would require the Department of Commerce to convene an interagency working grout to look at issues related to cyber insurance. Once a report from the working group is produced, DOC would be required to provide the public with “informative resources for cyber insurance stakeholder”. No funding is authorized by this bill.

The bill is very similar to S 513 that was introduced by Hickenlooper in January 2023. No action was taken on that bill. Significant changes were made in S 245, including adding the Federal Trade Commission and at least one State insurance regulator to the list of Working Group members. There were also numerous minor changes to the focus of listed activities for the Working Group.

Moving Forward

Both Hickenlooper and his sole cosponsor {Sen Capito (R,WV)} are both member of the Senate Commerce, Science and Transportation Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see the bill considered in Committee. I see nothing in the bill that would engender any significant opposition. I expect that the bill would receive bipartisan support.

The bill is not ‘important’ enough to be considered on the floor of the Senate under regular order. I suspect that the bill could be considered under the Senate’s unanimous consent process, but you never can tell what unrelated opposition could lead to an objection under that process.

Commentary

This bill makes no attempt at establishing any regulatory framework for cybersecurity insurance, which would probably be the death knell of bill currently containing such provisions. The crafters of this bill did do Congress a disservice, however, when they did not take advantage of this working group to outline what future regulation legislation might look like. I would have added the following subparagraph (K) to Section 3(c)(1):

(K) Identify any regulatory frameworks that may have been proposed to govern the issuance of cyber insurance.

 

For more details about the proposed legislation, see my article at CFSN Detailed Analysis - https://chemical-facility-security-news.blogspot.com/2025/02/review-s-245-introduced-insure.html [link added 2-6-25 11:50 pm EST] - subscription required.

Wednesday, February 5, 2025

Short Takes – 2-5-25

Republicans stare down massive deficits to extend Trump tax cuts. TheHill.com article. Pull quote: ““We don’t want to blow a hole in the deficit by extending the Trump-era tax cuts, for example,” Johnson said on Fox News on Monday. “But we’re definitely going to get that extended. We’ve got to find those savings.””

Musk shocks lawmakers, setting himself on collision course. TheHill.com article. Pull quote: ““I urge [Secretary of State Marco] Rubio to distribute the $340 million in American-grown food currently stalled in U.S. ports to reach those in need. Time is running out before this life-saving aid perishes,” he [Sen. Jerry Moran (R-Kan.)] posted on social media.”

Program Approval: Georgia Central Railway, L.P. and Heart of Georgia Railroad, Inc. Federal Register FRA notice. Summary: “FRA is issuing this notice to approve a petition from Georgia Central Railway, L.P. (GC) and Heart of Georgia Railroad, Inc. (HOG) (collectively, Petitioners), subsidiaries of Genesee and Wyoming (G&W), for a Test Program designed to test self-propelled, zero-emission, battery-electric rail vehicles and their associated computer and telemetry technology systems, and to evaluate the effectiveness of the system and new operational approaches to rail vehicle technology in the short-haul movement of containers. The approval grants limited, temporary suspension of certain FRA rules necessary to facilitate the conduct of the Test Program, including an exemption for certain safety appliance laws (collectively, Impacted FRA Safety Standards).”

What’s next for smart glasses? TechnologyReview.com article. Pull quote: “These smaller players will also have an important role in creating new experiences for wearers of smart glasses. A big part of smart glasses’ usefulness hinges on their ability to send and receive information from a wearer’s smartphone—and third-party developers’ interest in building apps that run on them. The more the public can do with their glasses, the more likely they are to buy them.”

NOTE: There were no EO’s published in today’s Federal Register.

cUAS Hearing Added to House Schedule – 2-6-25

Today, the House Transportation and Infrastructure Committee added a hearing for tomorrow on “Counter-Unmanned Aircraft Systems”. The Aviation Subcommittee will hear testimony from:

Catherine Cahill, The Alaska Center for UAS Integration (ACUASI),

Lisa Ellman, Commercial Drone Alliance, and

Chris McLaughlin, Dallas Fort Worth International Airport

Would have been nice to include someone from the FAA to discuss the legal limitations on cUAS activities. Similarly, hearing from one of the companies that develops cUAS systems would also have been helpful, balanced of course by a domestic UAS manufacturer. Maybe in a future hearing.

Review – Bills Introduced – 2-4-25

Yesterday, with both the House and Senate in session, there were 119 bills introduced. Five of those bills may receive additional attention in this blog:

HR 912 To amend title V of the Public Health Service Act to secure the suicide prevention lifeline from cybersecurity incidents, and for other purposes. Obernolte, Jay [Rep.-R-CA-23]

HR 915 To authorize small business loans to finance access to modern business software, and for other purposes. Alford, Mark [Rep.-R-MO-4]

HR 928 To enhance safety requirements for trains transporting hazardous materials, and for other purposes. Deluzio, Christopher R. [Rep.-D-PA-17]

HR 971 To enhance safety requirements for trains transporting hazardous materials, and for other purposes. Sykes, Emilia Strong [Rep.-D-OH-13]

HJ Res 34 Providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Environmental Protection Agency relating to "Trichloroethylene (TCE); Regulation Under the Toxic Substances Control Act (TSCA)". Harshbarger, Diana [Rep.-R-TN-1]

 

For more information on these proposed bills, and one bill I mention in passing, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-2-4-25 - subscription required.

Tuesday, February 4, 2025

Short Takes – 2-4-25

Claroty Questions CISA and US FDA’s Suggestion of Backdoor Transmitting via Patient Monitors. CyberRiskLeaders.com article. Pull quote: “Claroty says that absent additional threat intelligence, the absence of any hidden functionality is important because it demonstrates a lack of malicious intent, and therefore changes the prioritisation of remediation activities. Said differently, this is not likely to be a campaign to harvest patient data and more likely to be an inadvertent exposure that could be leveraged to collect information or perform insecure firmware updates.”

Musk’s DOGE effort could spread malware, expose US systems to threat actors. CSOOnline.com article. Pull quote: “Michael Daniel, president and CEO of the Cyber Threat Alliance, says the unprecedented nature of Musk’s actions makes it difficult to call, but he thinks there could be serious legal consequences for Musk, his workers, and compliant government officials. “You’ve got the potential for all sorts of legal violations, privacy act violations,” he tells CSO.”

House GOP forced to punt preliminary vote on Trump legislative agenda bill. TheHill.com article. Pull quote: “Before crafting the actual bill, however, lawmakers must advance a budget resolution — which lays out the parameters of the legislation — through the Budget Committee, on which a host of hard-line conservatives [Reps Norman (R,SC), Cline (R,VA), Roy (R,TX), Clyde (R,GA), and Brecheen (R,OK)] sit and have the power to thwart any effort. Legislation needs majority support in the committee before heading to the House floor for a vote of the entire chamber.

Boeing has now lost $2B on Starliner, but still silent on future plans. ArsTechnica.com article. Pull quote: “Although Mulholland was not in charge during Starliner's most recent setbacks, it was under his leadership that engineers made the design decisions that led to many of Starliner's problems. These include the software woes that kept the spacecraft from reaching the space station on the 2019 test flight and the use of valves in the ship's service module that were susceptible to corrosion. In 2023, just a couple of months before Starliner was supposed to launch on the crew test flight, officials discovered a design problem with Starliner's parachutes and found that Boeing installed flammable tape inside the capsule's cockpit.”

Waffle House adds egg surcharge amid rising egg prices. Fox5Atlanta.com article. Pull quote: “According to Waffle House's statement, they plan to continue to use "quality, fresh-cracked, Grade A Large eggs" in their customers' favorite meals as long as they are available. They also said that although they hope these price fluctuations will be short-lived, they cannot predict how long the egg shortage will last. In the meantime, they will continuously monitor egg prices and will adjust or remove the surcharge as market conditions allow.” Includes copy of Waffle House press release.

NASA wants a 'Super-Hubble' space telescope to search for life on alien worlds. Space.com article. Pull quote: “That could soon change, thanks to a new NASA flagship telescope being designed to seek out strange new worlds that could support life as we know it. Called the Habitable Worlds Observatory, the telescope is so massive it may even need to ride a next-gen megarocket like SpaceX's Starship to reach space; it will also require new technological innovations to hunt for Earth's twin across the light-years. Yet, even with such hefty demands, this project was tapped as a top priority for NASA in the Decadal Survey on Astronomy and Astrophysics 2020 (Astro2020), an influential report that aims to set a roadmap for the astronomy community within the decade following its release.”

Can this revolutionary plastics-recycling plant help solve the pollution crisis? Nature.com article. Pull quote: “If that makes it sound like a panacea for plastics recycling, think again. In practice, as Mura explains, the plant is currently picky about its diet of plastic waste, which must be shredded and sorted in ways similar to those used for mechanical recycling. And because, as with pyrolysis plants, not all of the facility’s products will be reborn as plastic, some critics say that the process shouldn’t count as recycling — an accusation that Mura rejects.”

As EV vehicles get heavier, they’re also getting more dangerous, safety experts say. MercuryNews.com article. Pull quote: “Griswold said this began an “arms race” among automakers. According to a 2013 UC Berkeley study titled “Pounds That Kill,” weight was found to be a critical factor in fatal auto crashes. The study found that each 1,000-pound increase in a striking vehicle’s weight increased the probability of a fatality in the struck vehicle by 47%.”

NOTE: No Executive Orders were published in today’s Federal Register.

Review – 8 Advisories and 1 Update Published – 2-4-25

Today CISA’s NCCIC-ICS published eight control system security advisories for products from AutomationDirect, Schneider (4), Elber, Rockwell Automation, and Western Telematics. They also updated an advisory for products from Ashlar-Vellum.

Advisories

AutomationDirect Advisory - This advisory describes a classic buffer overflow vulnerability in the AutomationDirect C-more EA9 HMI.

Schneider Advisory #1 - This advisory describes an improper enforcement of message integrity during transmission in a communications channel vulnerability in the Schneider Pro-face GP-Pro EX and Remote HMI.

Schneider Advisory #2 - This advisory describes an exposure of sensitive information to unauthorized actor vulnerability in the Schneider Modicon M340 and BMXNOE0100/0110, BMXNOR0200H products.

Schneider Advisory #3 - This advisory describes an improper restriction of XML entity external reference vulnerability in the Schneider Web Designer for Modicon.

Schneider Advisory #4 - This advisory describes an incorrect calculation of buffer size vulnerability in the Schneider M580 PLCs, BMENOR2200H and EVLink Pro AC products.

NOTE: I briefly discussed all four of these Schneider vulnerabilities on January 20th, 2025.

Elber Advisory - This advisory describes two vulnerabilities with publicly available exploits in multiple communication products from Elber.

Rockwell Advisory - This advisory describes an improper handling of exceptional conditions vulnerability in the Rockwell GuardLogix 5380 and 5580 controllers.

Western Telematic Advisory - This advisory describes an external control of file name or path in the Western Telematic NPS Series, DSM Series, CPM Series products.

Updates

Ashlar-Vellum Update - This update provides additional information on the Ashlar-Vellum modeling tools advisory that was originally published on October 24th, 2023.

 

For more information on these advisories, including links to researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/8-advisories-and-1-update-published-4e3 - subscription required.

Review – HR 128 Introduce – Fentanyl as WMD

Last month, Rep Boebert (R,CO) introduced HR 128, the Fentanyl is a WMD Act. The very short bill would direct the Countering Weapons of Mass Destruction Office of the Department of Homeland Security to treat illicit fentanyl as a weapon of mass destruction. No funding authorization is provided in this legislation.

HR 128 is identical to HR 7190 that was introduced by Boebert in February of last year. No action was taken on that bill.

Moving Forward

While Boebert is not a member of the House Homeland Security Committee to which this bill was assigned for consideration, this session one of her eight cosponsors {Rep Ogles (R,TN)} is a member. This means that there may be sufficient influence to see the bill considered in Committee. I would expect there to be significant bipartisan opposition to the bill were it to be considered, but there could be enough votes for the Committee to favorably recommend the bill to the full House.

Commentary

While fentanyl may broadly fall within the scope of the definition of the term ‘weapon of mass destruction’, there is nothing within the current scope or mission of the Countering Weapons of Mass Destruction Office that would help the federal government reduce the flow of that drug, or it’s precursors, into this country. Either the sponsors of this bill are unaware of the mission of the CWMD Office, or this legislation is just another bit of political grandstanding. In my opinion, while I would not be surprised at these particular congresscritters being uniformed, I suspect the latter.

 

For more information about the provisions of this bill, including additional commentary on future of the CWMD Office, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-128-introduce - subscription required.

Monday, February 3, 2025

Short Takes – 2-3-25

Ocean Temperatures Are Rising Much Faster Than Scientists Expected. PopularMechanics.com article. Pull quote: “It isn’t exactly a surprise that the ocean is getting warmer, but the rate at which it’s doing so—roughly 400 percent faster than the rate of the 1980s—is alarming. Looking at satellite observations captured from 1985 to modern day, coupled with statistical models incorporating climate variability, scientists found that the ocean was warming at a rate of roughly 0.06 degrees Celsius per decade in the late 80s. Now, it has now jumped up to 0.27 degrees Celsius per decade. The results of the study were published in the journal Environmental Research Letters.”

It seems the FAA office overseeing SpaceX’s Starship probe still has some bite. ArsTechnica.com article. Pull quote: “During last month's test flight, Starship did not deviate from its planned ground track, which took the rocket over the Gulf of Mexico, the waters between Florida and Cuba, and then the Atlantic Ocean. But the debris field extended beyond the standard airspace closure for the launch. After the accident, FAA air traffic controllers cleared additional airspace over the debris zone for more than an hour, rerouting, diverting, and delaying dozens of commercial aircraft.”

The Cislunar Competition. LawfareMedia.org article. Pull quote: “Finally, the United States should consider whether it furthers U.S. interests to keep cislunar space non-militarized, mirroring the U.S. playbook on Antarctica in the 1950s. Should China agree to keep cislunar space non-militarized, which it may very well not agree to, verification measures will be important. China would need to be significantly more open about what it is doing in cislunar space, creating a way for U.S. officials to inspect payloads before launch, similar to how nuclear arms control agreements with the Soviet Union permitted on-site inspections. To date, however, China has not even acknowledged all launches intended for the Moon until after the spacecraft are well on their way. Additionally, the United States will need improved cislunar space situational awareness to keep tabs on China’s missions once in space.”

Duffy tells DOT to prioritize areas with high birth rates. TheHill.com article. Pull quote: ““To the maximum extent permitted by law, DOT-supported or -assisted programs and activities, including without limitation, all DOT grants, loans, contracts, and DOT-supported or -assisted State contracts, shall prioritize projects and goals that … mitigate the unique impacts of DOT programs, policies, and activities on families and family-specific difficulties, such as the accessibility of transportation to families with young children, and give preference to communities with marriage and birth rates higher than the national average,” reads the undated memo, which says it is effective immediately.”

Three Actions Published by the Environmental Protection Agency With Comment Periods That Close Between February 3, 2025 and February 11, 2025; Notice of Comment Period Extension and Delay of Public Meetings. Federal Register EPA meeting notice. Summary: “This document extends the comment period for three notices published by the Environmental Protection Agency in the Federal Register on December 3, 2024 and December 13, 2024.”

EO 14183 Prioritizing Military Excellence and ReadinessFederal Register,

EO 14184 Reinstating Service Members Discharged Under the Military's COVID-19 Vaccination MandateFederal Register,

EO 14185 Restoring America's Fighting ForceFederal Register,

EO 14186 The Iron Dome for AmericaFederal Register,

EO 14187 Protecting Children From Chemical and Surgical MutilationFederal Register,

EO 14188 Additional Measures To Combat Anti-Semitism - Federal Register,

EO 14189 Celebrating America's 250th BirthdayFederal Register,

EO 14190 Ending Radical Indoctrination in K-12 SchoolingFederal Register,

EO 14191 Expanding Educational Freedom and Opportunity for FamiliesFederal Register,

Review - Committee Hearings – Week of 2-2-25

This week, with both the House and Senate in Washington, there is a relatively lite hearing schedule. There is a cyber workforce hearing in the House. The Senate continues to focus on Cabinet approvals.

Cyber Workforce

On Wednesday, the House Homeland Security Committee will hold a hearing on “Preparing the Pipeline: Examining the State of America's Cyber Workforce”. No witness list is currently available.

 

For more information on these hearings, including lists of nomination hearings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-2-2-25 - subscription required.

Review - ChemLock and Chemical-Terrorism Vulnerability Information

This is part of a series of blog posts looking at the potential for the authorization of CISA’s existing ChemLock program and using it as a voluntary replacement for the now defunct Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in this series include:

CFATS is Dead,

Making ChemLock Safety Act Compliant – ChemLock Program Background,

ChemLock and Tiering,

Reader Comment – TSDB Screening for ChemLock,

ChemLock and TSDB Screening,

ChemLock and Risk Based Performance Standards.  

NOTE: Previous articles in this series have been removed from the CFSN Detailed Analysis paywall.

The CFATS program collected a great deal of sensitive information from facilities; both covered facilities and facilities submitting Top Screen information to see if they were to become covered facilities. The information provided to CISA that would be of potential interest to any terrorist organization planning on attacking the facilities. To prevent that sort of information sharing, it was protected by the Chemical-Terrorism Vulnerability Information (CVI) program.

While the CFATS program was in effect, the CVI program was authorized by 6 USC 623. The regulations concerning the program can be found at 6 CFR 27.400. CISA’s predecessor published a revised guidance manual for the program in September of 2008. When CISA stood up the ChemLock program, they made no attempt to apply CVI protections to information provided under the new program, maintaining that, since the two programs were separate and distinct, there was no statutory authorization for applying the CVI protections to the ChemLock program.

Any attempt to authorize the ChemLock program is going to have to specifically deal with the protection of controlled unclassified information submitted to and developed by that program. Adaption of the Chemical-Terrorism Vulnerability Information (CVI) program from the CFATS program would be the most obvious way of dealing with necessity.

 

For more information on the potential use of the CFATS CVI program to support the ChemLock program, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-and-chemical-terrorism-vulnerability - subscription required.

Sunday, February 2, 2025

Review – Public ICS Disclosures – Week of 1-25-25 – Part 2

For Part 2 we have nine additional vendor disclosures from NI, Philips, Rockwell (2), QNAP, SEL, SMA Solar Technology (2), and VMware. There are eight vendor updates from FortiGuard (3), HP (4), and Palo Alto Networks. Finally, we have a researcher report for vulnerabilities in products from Wind River.

Advisories

NI Advisory - NI published an advisory that describes a dependency on vulnerable third-party component vulnerability in multiple NI products.

Philips Advisory - Philips published an advisory that discusses two recent 7-ZIP vulnerabilities (CVE-2024-11477 and CVE-2025-0411).

Rockwell Advisory #1 - Rockwell published an advisory that describes an improper handling of exceptional conditions vulnerability in their GuardLogix products.

Rockwell Advisory #2 - Rockwell published an advisory that describes a cleartext transmission of sensitive information vulnerability in their PowerFlex 755 product.

QNAP Advisory - QNAP published an advisory that discusses a ClamAV heap-based buffer overflow vulnerability.

SEL Advisory - SEL published a software update notice for their Blueframe Resource Communication Services that reports a cybersecurity enhancement.

SMA Advisory #1 - CERT-VDE published an advisory that describes a cross-site request forgery vulnerability in the SMA Cluster Controller.

SMA Advisory #2 - CERT-VDE published an advisory that describes an improper restriction of rendered UI layers or frames vulnerability in the SMA Sunny Webbox.

VMware Advisory - Broadcom published an advisory that describes five vulnerabilities in the VMware Aria Operations for Logs and VMware Aria Operations updates.

Updates

FortiGuard Update #1 - FortiGuard published an update for their unchecked boundary length advisory that was originally published on January 14th, 2025, and most recently updated on January 22nd.

FortiGuard Update #2 - FortiGuard published an update for their improper access control advisory that was originally published on February 22nd, 2024.

FortiGuard Update #3 - FortiGuard published an update for their OS command injection advisory that was originally published on October 10th, 2023.

HP Update #1 - HP published an update for their Plantronics Hub advisory that was originally published on December 20th, 2023, and most recently updated on September 11th, 2024.

HP Update #2 - HP published an update for their NVIDIA GPU Display Driver advisory that was originally published on September 6th, 2024.

HP Update #3 - HP published an update for their NVIDIA GPU Display Driver advisory that was originally published on July 1st, 2024.

HP Update #4 - HP published an update for their Intel 2024.3 IPU advisory that was originally published on October 17, 2024, and most recently updated on January 15th, 2025.

Palo Alto Networks Update - Palo Alto Networks published an update for their PAN-OS BIOS and Bootloader advisory that was originally published on January 23rd, 2025.

Researcher Reports

Wind River Report - SEC Consult published a report that describes two weak password hash algorithm vulnerabilities in the Wind River VxWorks products.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-964 - subscription required.

Legislative Housekeeping, 118th Congress – 2-2-25

Last week, the GPO published the text of two more bills that I was tracking in the 118th Congress. This leaves just two final bills from the 118th that I would have covered if they had not been introduced so late in the session (December 11th, and December 21st respectively). The two bills published this week were:

S 5600, the NASA Transition Authorization Act of 2024, and

S 5610, the Invest in Our Democracy Act of 2024.

 
/* Use this with templates/template-twocol.html */