CRS Reports – Log4Shell

 This week the Congressional Research Service published a report on “Systemic Vulnerabilities in Information Technology—Log4Shell”. This report contains a brief, non-technical, overview of the vulnerability and the actions taken to date to respond to it. There is also a link-filled discussion about the range of actions that the federal government could take with respect to these types of systemic vulnerabilities.

Committee Hearings – Week of 2-6-22

With both the House and Senate in Washington, there is an average list of hearings to be held this week. There is one cybersecurity hearing of note.

Cybersecurity

On Tuesday, the Senate Homeland Security and Governmental Affairs Committee will hold a hearing on “Responding to and Learning from the Log4Shell Vulnerability”. The witness list includes:

• David Nalley, Apache Software Foundation,

• Brad Arkin, Cisco Systems, Inc.,

• Jen Miller-Osborn, Palo Alto Networks, and

• Trey Herr, Scowcroft Center for Strategy and Security

Some heavy hitter tech company executives on the witness list so this could get interesting, especially with potentially blame-gaming Nalley. It is a shame that there is no one on the OT side of the tech house on the witness list, but that is probably to be expected.

On the Floor

The interesting item for the House this week is not on the schedule, the FY 2022 spending bill. The current CR expires a week from Friday, but the House is scheduled to be doing remote committee work next week. So we are probably going to see the House take up a CR this week. Even that will probably have an impact on schedules because the schedule for the week shows ‘no votes’ for Thursday and Friday.

News reports (see here for example) indicate that we will probably see another ‘short term’ continuing resolution to allow more negotiations to iron out the differences on the spending bill. The alternative is to do a CR that lasts until the end of September. That would allow the appropriators to start working on the FY 2023 spending package, but it would keep funding at current levels. That would effectively be a spending cut with inflation running the way it is.

Review - Public ICS Disclosures – Week of 1-29-22 – Part 2

For Part 2 we have four more vendor disclosures from QNAP, TI, VMware, and Fujitsu. We also have five updates from Boston Scientific, Dell, Hillrom, Johnson Controls, and QNAP. There are also 98 researcher reports for vulnerabilities in products from Gerbv (2), and Bentley (96). Finally, we have three exploit reports for products from Moxa (2), and WAGO.

QNAP Advisory - QNAP published an advisory discussing the Deadbolt Ransomware attacks.

TI Advisory - TI published an advisory discussing physical security attacks on ‘silicon devices.’

VMware Advisory - VMware published an advisory describing an information disclosure vulnerability in their VMware Cloud Foundation.

Fujitsu Advisory - Fujitsu published an advisory discussing 15 vulnerabilities in Insyde® Firmware.

Boston Scientific Update - Boston Scientific published an update for their Log4Shell  advisory.

Dell Update - Dell published an update for their generic Log4Shell advisory.

Hillrom Update - Hillrom published an update for their Log4Shell advisory.

Johnson Controls Update - Johnson Controls published an update for their Log4Shell advisory.

QNAP Update - QNAP published an update for their QTS and QuTS hero advisory that was originally published on January 13^th, 2021 and most recently updated on January 25^th, 2022.

Gerbv Reports - Talos published two reports of vulnerabilities in the Gerbv RS-274X viewer.

Bentley Reports - The Zero Day Initiative published 96 reports (ZDI-22-149 thru ZDI-22-243ZDI) about vulnerabilities in the Bentley MicroStation and MicroStation-based applications.

Moxa Exploit #1 - Matthew Bergin published an exploit for a firmware upgrade vulnerability in the Moxa TN-5900.  

Moxa Exploit #2 - Matthew Bergin published an exploit for a command injection vulnerability vulnerability in the Moxa TN-5900.  

WAGO Exploit - Gerhard Hechenberger published an exploit for an improper handling of exceptional conditions vulnerability in the WAGO 750-8xxx PLC.

NOTE: This was reported as a third-party (CODESYS) vulnerability, so this exploit may work (with or without modification?) on other vendor products.

 

For more details on these disclosures, including links to 3rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-d73 - subscription required.

Review - Public ICS Disclosures – Week of 1-29-22 – Part 1

 This has been a very busy week for control system vulnerabilities and it is going to require a two-part post to address all of the information. This week we have 14 vendor disclosures from ABB (3), Aruba (3), Sante, Sealevel, WAGO, Emerson, FANUC, Honeywell (2), Philips, and Rockwell.

ABB Advisory #1 - ABB published an advisory describing three vulnerabilities in their SPIET800 INFI-Net to Ethernet Transfer and PNI800 S+ Ethernet communication interface modules.

ABB Advisory # 2 - ABB published an advisory describing an improper input validation vulnerability in their System 800xA, Symphony® Plus IEC 61850 communication stack.

ABB Advisory #3 - ABB published an advisory describing a remote code execution vulnerability in their OPC Server for AC 800M products.

Aruba Advisory #1 - Aruba published an advisory discussing 15 vulnerabilities in their ArubaOS-CX 8000 Series Switches.

Aruba Advisory #2 - Aruba published an advisory discussing 15 vulnerabilities in their 9000 Series Gateways.

Aruba Advisory #3 - Aruba published an advisory discussing the PwnKit vulnerability in multiple product lines.

Sante Advisory - INCIBE-CERT published an advisory describing seven vulnerabilities in the Sante DICOM Viewer Pro.

Sealevel Advisory - INCIBE-CERT published an advisory describing twelve vulnerabilities in the Sealevel SeaConnect 370W Wi-Fi edge device.

WAGO Advisory - CERT-VDE published an advisory discussing a link following vulnerability in the WAGO e!COCKPIT and WAGO-I/O-Pro.

Emerson Advisory - Emerson published an advisory describing a credential disclosure vulnerability in multiple products. The vulnerability was reported by Dragos.

FANUC Advisory - FANUC published a notice reporting that none of their products are affected by the Log4Shell vulnerability.

Honeywell Advisory #1 - Honeywell published an advisory describing a command injection vulnerability in their IP PTZ Camera HDZP252DI.

Honeywell Advisory #2 - Honeywell published an advisory describing a video replay vulnerability in their IP Camera HBW2PER1.

Philips Advisory - Philips published an advisory discussing the PwnKit vulnerability.

Rockwell Advisory - Rockwell published a notice discussing a problem with the latest Microsoft® DCOM Hardening patch.

 

For more details about these advisories, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-cfc - subscription required. 

Review - Public ICS Disclosures - Log4Shell Advisories – Week of 1-15-22

This is effectively Part 3 of my weekly public ICS disclosure post. It is a follow-up to last week’s post. There are now 108 vendor notifications listed. As I did last week, I am making the article on my CFSN Detailed Analysis site - https://patrickcoyle.substack.com/p/public-ics-disclosure-log4shell-week-49e - a free-access article so as to avoid a lengthy duplication here.

This looks like this will be the last week of a stand-alone report on Log4Shell advisories, the volume has dropped off sufficiently to allow new advisories and updates to be included in the standard Public ICS Disclosure posts.

Review - Public ICS Disclosures - Log4Shell Advisories – Week of 1-8-22

This is effectively Part 3 of my weekly public ICS disclosure post. It is a follow-up to last week’s post. There are now 107 vendor notifications listed. As I did last week, I am making the article on my CFSN Detailed Analysis site - https://patrickcoyle.substack.com/p/public-ics-disclosure-log4shell-week-0c5 - a free-access article so as to avoid a lengthy duplication here.

Review – 1 Advisory Published – 1-11-22

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Johnson Controls.

Johnson Controls Advisory - This advisory describes an improper handling of syntactically invalid structure vulnerability in the Johnson Controls (American Dynamics) VideoEdge network video recorder.

NOTE: I briefly described this vulnerability on December 25^th, 2021. Johnson Controls updated their advisory to add the NCCIC-ICS advisory number and link.

Log4Shell Update - While on the Johnson Controls advisory page looking at the original notice for today’s NCCIC-ICS advisory, I noticed that they had updated their Log4Shell advisory for the 15^th time yesterday.

2^nd Tuesday Advisories - For the third month in a row, NCCIC-ICS has not addressed any of the 2^nd Tuesday advisories that were published by Siemens and Schneider today.

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-1-11-22 - subscription required.

Committee Hearings – Week of 1-9-22

This week, with both the House and Senate meeting in Washington, there is a light hearing schedule. Most of the Senate hearings deal with confirmations. There is one cybersecurity hearing scheduled in the House.

Cybersecurity Hearing

On Tuesday the House Committee on Oversight and Reform will hold a hearing on “Cybersecurity for the New Frontier: Reforming the Federal Information Security Modernization Act”. The witness list includes:

• Gordo Bitko, Information Technology Industry Council (formerly CIO FBI),

• Jennifer Franks, GAO,

• Ross Nodurft, Alliance for Digital Innovation (formerly OMB Cybersecurity Team Chief),

• Grant Schneider, Vanable, (formerly NSC Cybersecurity Policy Director),

• Renee Wynn, RP Wynn Consulting LLC (formerly NASA CIO)

This hearing is about FISMA so it will contain little or no discussion about operation technology issues. It will, however, be the first chance for congresscritters to ask questions about the various log4j vulnerabilities (pg4) that are causing so many problems. It will be interesting to see how good the staff work is on Log4Shell by seeing how intelligent the questions are.

On the Floor

Lite schedule on the floor of the House this week. Interestingly, there are no scheduled bills to be considered under the suspension of the rules process. This may be due to the large number of  congressional Covid cases reported this weekend. The House is tightening down of Covid restrictions again. Unfortunately, no one is reporting on member or committee staffer infections, I suspect that those numbers are quite high.

Review - Public ICS Disclosures - Log4Shell Advisories – Week of 1-1-22

This is effectively Part 2 of my weekly public ICS disclosure post. It is a follow-up to last week’s post. There are now 99 vendor notifications listed. As I did last week, I am making the article on my CFSN Detailed Analysis site - https://patrickcoyle.substack.com/p/public-ics-disclosure-log4shell-week-b51 - a free-access article so as to avoid a lengthy duplication here.

Review - 1-5-22 Siemens Log4Shell Advisory

Siemens published an update for their original Log4Shell advisory that was originally published on December 12^th, 2021 and most recently updated on December 28^th, 2021.

It has been just over a week since Siemens published a new advisory or updated this one. This will probably be the last stand-alone report I do for updates for this advisory or the other advisories that Siemens has published on the Log4j problems. I added the Siemens advisories to the last weekly update Log4Shell list over on CFSN Detailed Analysis and that is where further reports on these advisories will be found. Unless, of course, Siemens turns up something that catches my fancy.

For more details about today’s update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-5-22-siemens-log4shell-advisory - subscription required.

Review - Public ICS Disclosures - Log4Shell Advisories – Week of 12-25-21

 

This is effectively Part 2 of my weekly public ICS disclosure post. It is a follow-up to last week’s post. There are now 91 vendor notifications listed. As I did last week, I am making the article on my CFSN Detailed Analysis site - https://patrickcoyle.substack.com/p/public-ics-disclosure-log4shell-week-eef - a free-access article so as to avoid a lengthy duplication here.

Review - 12-28-31 Siemens Log4Shell Advisories

Today Siemens published a new Log4j advisory and updated their original advisory.

New Advisory - Siemens published an advisory discussing a new Log4j vulnerability that affects Log4j versions through 17.0.

Update - Siemens published an update for their original Log4Shell advisory that was originally published on December 12^th, 2021 and most recently updated on December 27^th, 2021.

The new Log4j vulnerability almost certainly reflects the additional attention that is being focused on this no longer obscure but much used tool. Very few pieces of ‘modern’ software are apparently able to stand up to that sort of attention without yielding vulnerabilities. With no currently available exploits, nor a current Base Score, for the new vulnerability, owners will be forgiven for not paying as much attention to this new vulnerability. Unfortunately, I expect that exploits will be forthcoming more quickly than normal; the Log4j attention also attracts the ‘bad guys’.

For more details on the new advisory and update, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-28-31-siemens-log4shell-advisories - subscription required.

Review - 12-27-21 Siemens Log4Shell Advisory

Today, Siemens published another update to their original Log4Shell advisory that was originally published on December 12^th, 2021 and most recently updated on December 23^rd, 2021.

I have been asked why I follow Siemens advisories on a daily basis and follow everyone else just once a week? There are two reasons. First, Siemens is proactive about pushing their information out to the public, Tweeting® for each advisory and update (for today’s Tweet). The second, and more important reason, is that tracking down each of the 80 Log4Shell advisories that I reported on last Sunday takes up too much time to do on a daily basis.

For more details about the changes announced in today’s update, see my article in CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-27-21-siemens-log4shell-advisory - subscription required.

Review - Public ICS Disclosures - Log4Shell Advisories – Week of 12-18-21

 

This is effectively Part 2 of my weekly public ICS disclosure post. It is a follow-up to last week’s post. There are now 80 vendor notifications listed. As I did last week, I am making the article on my CFSN Detailed Analysis site a free-access article so as to avoid a lengthy duplication here.

Review - 12-23-21 Siemens Log4Shell Advisories

Today, Siemens updated two Log4Shell advisories.

Siemens published an update for their original Log4Shell advisory that was originally published on December 12^th, 2021 and most recently updated on December 22^nd, 2021.

Siemens published an update for their Sensformer Log4Shell advisory that was originally published on December 21^st, 2021.

For more details on the changes made in these updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-23-21-siemens-log4shell-advisories - subscription required.

Review - 2 Advisories Published – 12-23-21

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Johnson Control and Moxa.

Johnson Controls Advisory - This advisory discusses the original Log4Shell vulnerability in the Johnson Control Exacq Technologies Enterprise Manager.

NOTE: It is interesting that nowhere does the NCCIC-ICS advisory mention the Apache vulnerabilities except by the CVE #. This would have been a good place to publish a reference to yesterday’s CISA, et al, advisory on “Mitigating Log4Shell and Other Log4j-Related Vulnerabilities”, especially since this is the first NCCIC-ICS advisory on Log4Shell.

Moxa Advisory - This advisory describes a clear-text transmission of sensitive information vulnerability in the Moxa MGate MB3180/MB3280/MB3480 Series Protocol Gateways.

NOTE: It looks like NCCIC-ICS is reporting the wrong CVE number for this advisory.

For more details about these advisories, see my article at CFSN Detailed Analysis - - subscription required.

Review - 12-22-21 Siemens Log4Shell Advisory

Today Siemens published an update for their original Log4Shell advisory that was originally published on December 12^th, 2021 and most recently updated on December 21^st, 2021. The new information includes:

• Adding two products to the list of affected products,

• Adding nine additional products considered as not affected

For more details on this update, including the additions to the ‘affected products’ and ‘not affected products’ lists, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-22-21-siemens-log4shell-advisory [Added link - 10:10 pm EST, 12-22-21] - subscription required.

 

Review - 12-21-21 Siemens Advisories for Log4Shell

Today, Siemens published another new Log4Shell advisory and updated their original advisory.

New Advisory - Siemens published an advisory discussing the three Log4Shell advisories in their Energy Sensformer (Platform, Basic and Advanced).

Update - Siemens published an update for their original Log4Shell advisory that that was originally published on December 12^th, 2021 and most recently updated on December 20^th, 2021.

Commentary

One thing that has become obvious during my coverage of this set of vulnerabilities is that cloud versions of control system software appear to be ideally suited to responding to vulnerabilities. It looks like (from the outside) that it takes less time to develop mitigations and it certainly gets them into actual operations much faster. The only question is, how does this affect the ‘requirement’ to test patches, updates, and new versions off-line before they are run on operational systems? Yes, the vendors like Siemens certainly do inhouse testing ‘offline’, but that testing cannot include all of the other pieces of the control system that must physically reside in the plant like sensors, valves and motors. Is this not necessary for control system software as a service products?

For more details on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-21-21-siemens-advisories-for-log4shell - subscription required.

Review - 12-20-21 Siemens Advisories for Log4Shell

This afternoon Siemens published another new Log4Shell advisory and updated their original advisory.

New Advisory - Siemens published an advisory discussing the Log4Shell vulnerabilities in their TraceAlertServerPLUS, a software component installed in SVC PLUS energy transmission solutions.

Updated Advisory - Siemens published an update of their original Log4Shell advisory that was originally published on December 12^th, 2021 and most recently updated on December 19^th, 2021.

For more details about the advisory and update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-20-21-siemens-advisories-for-log4shell - subscription required.

Commentary

Nobody can claim that Siemens is not actively working on remediating this unusual set of third-party vulnerabilities. But I have to ask the uncomfortable question, is it really helpful? Fixing a vulnerability in a control system is not just taking a computer out of service long enough to install an update. Properly done it requires testing updates on a mirror system to see if there are any unusual and unexpected consequences to applying the update. Then, the live system needs to be taken out of service and the updates applied and then tested again. Only then can the facility production be resumed.

Facilities cannot afford to do this multiple times within eight days; many cannot afford to do it every year.

I am not sure what the answer is, but this particular vulnerability brings us to a perfect place in time to ask the question. Researchers, operators, red-team, blue-team need to take a moment of out their even more hectic than normal schedule to think about and discuss how problems like this really need to be dealt with.

One thing that I am sure of, this is not the last vulnerability that will affect so many so quickly.

Review - Sunday Siemens’ Advisories for Log4Shell Vulnerabilities – 12-19-21

Today (yes, on Sunday less than a week after 2^nd Tuesday, talk about out-of-zone), Siemens published a new log4j advisory and updated their earlier Log4Shell advisory (for the fifth time).

New Advisory - Siemens published an advisory discussing the latest log4j vulnerability (CVE-2021-45105).

Log4Shell Update - Siemens published an update for their Log4Shell advisory that was originally published on December 12^th, 2021 and most recently updated on December 18^th, 2021.

For more details about these two new Siemens cybersecurity products, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/sunday-siemens-advisories-for-log4shell - subscription required.