Saturday, December 29, 2018

Public ICS Disclosures – Week of 12-22-18


This week we have one vendor disclosure from Schneider Electric and there is of course the federal funding fiasco.

Schneider Advisory


Schneider published an advisory for a use after free vulnerability in their Zelio Soft software product. The vulnerability was reported by mdm and rgod, of the 9SG Security Team. Schneider has an update available to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Federal Funding Fiasco


This is the first week of the FFF and it looks like it could last for a while. The NCCIC-ICS landing page does not include the FFF banner that is found on web sites for other Cybersecurity and Infrastructure Security Agency (CISA) organizations. I would like to think that that would mean that NCCIC-ICS is up and functioning like the main National Cybersecurity and Communications Integration Center (NCCIC) presumably is.

Unfortunately, the lack of publication of any advisories this week leads me to conclude that if NCCIC-ICS is functioning, it is doing so in a limited fashion. It would be helpful if NCCIC-ICS were to delineate which of its functions were deemed to be essential enough to continue during the FFF.

Wednesday, December 26, 2018

Federal Funding Fiasco and CFATS – December 2018


As expected, there is now a banner on the Chemical Facility Anti-Terrorism Standards (CFATS) web page reflecting the closed status for the Infrastructure Security Compliance Division (ISCD) during this federal funding fiasco (FFF).

The banner links to a DHS blog site that provides the following information:

“NOTICE: Due to the lapse in federal funding, this website will not be actively managed. This website was last updated on December 21, 2018 and will not be updated until after funding is enacted. As such, information on this website may not be up to date. Transactions submitted via this website might not be processed and we will not be able to respond to inquiries until after appropriations are enacted.”

During an earlier shutdown this year, ISCD, in addition to publishing a similar banner, posted a note on the CFATS Knowledge Center that provided minimal information about the impact of that FFF on the CFATS program. There is not currently any such notice on the Knowledge Center.

Interestingly, the CFATS Help Desk (866-323-2957) is functioning; if I remember correctly it is run by a contractor and thus not immediately affected by the FFF. I have a request thru the Help Desk about what portions of the CFATS program are affected by the FFF; I really do not expect to receive an answer until funding is restored.

Sunday, December 23, 2018

CG Updates Cyber Guidelines for Vessels


Earlier this month the Coast Guard published an updated version of “The Guidelines for Cybersecurity Onboard Ships”.  The 53-page .PDF document provides a non-technical overview of cybersecurity concerns and activities that is not technically an official Coast Guard document. While it addresses both IT and OT cybersecurity issues it concentrates on the interaction of cybersecurity and safety; coming up with an interesting new term that those in the OT cybersecurity field are sure to find helpful: “cyber safety incidents”.

There is lots of useful information in this document for the non-technical management of cybersecurity risks. One of the interesting aspects of the way that the information is presented it that it includes numerous examples of real-life incidents where a wide variety of cyber safety incidents led to high-cost results. While the authors are careful to remove identifying data from the incident descriptions, many of the incidents used were high-profile news stories.

This is certainly a useful document, both for managers responsible cyber risk management, but also for security professionals to better help them communicate with those non-technical managers who control the cybersecurity purse strings.

One minor point for the presentation designers of this document; the page numbers are awfully hard to read.



Friday, December 21, 2018

Public ICS Disclosure – Week of 12-15-18


This week we have five vendor notifications for products from Schneider Electric (3), Yokogawa and 3S (5).

Schneider Advisories


Schneider published an advisory for three vulnerabilities in their EVLink Parking product. The vulnerabilities were reported by Vladimir Kononovich and Vyacheslav Moskvin (Positive
Technologies). Schneider has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three vulnerabilities are:

• Hard-coded credentials - CVE-2018-7800;
• Code injection - CVE-2018-7801; and
SQL injection - CVE-2018-7802

Schneider published an advisory for an input validation vulnerability in their Pro-Face GP-Pro EX product. The vulnerability was reported by Yu Quiang (ADLab of Venustech). Schneider has a new version that mitigates the vulnerability. Schneider has an update that mitigates the vulnerability. There is no indication that Yu has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory for three vulnerabilities in their IIoT Monitor product. The vunlerabilities were reported by rgod via the Zero Day Initiative. Schneider has a new product that mitigates the vulnerability. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Path traversal - CVE-2018-7835;
• Unrestricted upload of file with dangerous type - CVE-2018-7836; and
• Improper restriction of XML esternal reference entity reference - CVE-2018-7837

NOTE: I expect that we will see these three advisories reported by NCCIC-ICS next week if they are allowed to continue to report during the upcoming financial idiocy. NCCIC will operate, but the ICS reporting function might not be allowed to continue until a funding bill is signed by the President.

Yokogawa Advisory


Yokogawa published an advisory for a denial of service vulnerability in their  Vnet/IP Open
Communication Driver. The vulnerability appears to be self-reported. Yokogawa has a patch for many of the products to mitigate the vulnerability, but many of the affected products are no longer supported.

3S Advisories


3S published an advisory for an information exposure vulnerability in their CODESYS Development System V3. The vulnerability was reported by Heinz Füglister of WRH Walter Reist Holding AG. 3S has a new version that mitigates the vulnerability. There is no indication that Füglister has been provided an opportunity to verify the efficacy of the fix.

3S published an advisory for two denial of service vulnerabilities in their CODESYS V3 products. The vulnerabilities were reported by ABB Switzerland Ltd. and Jérôme Vialle of Schneider Electric. 3S has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

3S published an advisory for two denial of service vulnerabilities in their CODESYS Development System V3 Alarm configuration application. These vulnerabilities are being self-reported. 3S has a new version that mitigates the vulnerabilities.

3S published an advisory for two denial of service vulnerabilities in their CODESYS Control V3 TLS socket communication application. These vulnerabilities were reported by an unidentified OEM customer. 3S has new versions that mitigate the vulnerabilities. There is no indication that the customer was provided an opportunity to verify the efficacy of the fix.

3S published an advisory for two denial of service vulnerabilities in the CODESYS Control V3 Trace Manager application. These vulnerabilities were reported by an unidentified OEM customer. 3S has new versions that mitigate the vulnerabilities. There is no indication that the customer was provided an opportunity to verify the efficacy of the fix.

NOTE: As is obvious from the researchers who identified most of the 3S vulnerabilities, 3S software is used by a number of ICS vendors. It will be interesting to see how many of those vendors self-identify these vulnerabilities in their products. Since 3S does not report CVE numbers for any of these vulnerabilities, it will be hard to track.


OMB Approves Two More UAV Rules


The OMB’ Office of Information and Regulatory Affairs (OIRA) announced (here and here) that it had approved and interim final rule (IFR) on “External Marking Requirement for Small Unmanned Aircraft” and a notice of proposed rulemaking (NPRM) on “Operations of Small Unmanned Aircraft Over People”. There has not been an earlier publication on either rulemaking so it is not clear exactly what will be included in either one.

External Marking IFR


According to the Unified Agenda for this rulemaking:

“This rulemaking would revise the requirements regarding the placement of the unique identifier assigned to a small unmanned aircraft to an external surface of the aircraft. This action is necessary to enhance the safety and security of a person seeking registration information from an unmanned aircraft. This revision will enable the person to view the unique identifier directly without handling the aircraft.”

The current rule (14 CFR 48.205) allows for unique identifier for small unmanned aircraft systems (sUAS) to be placed on the interior of the aircraft if it is “readily accessible if it
can be accessed without the use of any tool” {§48.205(c)}.

Flying Over People NPRM


According to the Unified Agenda for this rulemaking:

“This rulemaking would address the performance-based standards and means-of-compliance for operation of small unmanned aircraft systems (sUAS) over people not directly participating in the operation or not under a covered structure or inside a stationary vehicle that can provide reasonable protection from a falling small unmanned aircraft. This rule would provide relief from certain operational restrictions implemented in the Operation and Certification of Small Unmanned Aircraft Systems final rule (RIN 2120-AJ60).”

The current rule (14 CFR 107.39) prohibits the flying of sUAS over a human being except under very limited exceptions.

Moving Forward


The Trump Administration has been very slow to publish approved rules, so I do not expect to see either of these rulemakings to make it into the Federal Register until after the first of the year.

Bills Introduced – 12-20-18


Yesterday with the House and Senate in session, there were 42 bills introduced. I will be watching the following bill:

HR 7357 To establish within the Department of Transportation an Assistant Secretary of Automated Mobility and to direct such Assistant Secretary to submit to Congress a report on automated vehicles, and for other purposes. Rep. Lipinski, Daniel [D-IL-3] 

This bill is very unlikely to go anywhere (even with the large number of bills being considered yesterday) in this session, but Lipinski will probably reintroduce this bill in January.

Three Advisories and One Update Published – 12-20-18


Yesterday the DHS NCCIC-ICS published three control system security advisories for products from Rockwell Automation, Schneider Electric and Horner Automation. The also published an update for a previously published advisory for products from OMRON. The Rockwell advisory was originally posted to the HSIN ICS-CERT library on November 27, 2018.

Rockwell Advisory


This advisory describes an heap-based buffer overflow vulnerability on the Rockwell FactoryTalk Services Platform. The vulnerability was reported by Andrey Zhukov. Rockwell has a new version that mitigates the vulnerability. There is no indication that Zhukov has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to diminish communications or cause a complete denial of service to the device.

Schneider Advisory


This advisory describes an open redirect vulnerability in the Schneider EcoStruxure. The vulnerability was reported by Donato Onofri of Business Integration Partners S.p.A. Schneider has new versions that mitigate the vulnerability. There is no indication that Onofri has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability  allow an attacker to use this device as a platform to conduct a phishing attack.

Horner Advisory


This advisory describes an improper input validation vulnerability in the Horner Cscape programming software. The vulnerability was reported by rgod and mdm of 9SG Security Team via the Zero Day Initiative. Horner has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to crash the device being accessed, allow the attacker to read confidential information, and may allow an attacker to remotely execute arbitrary code.

OMRON Update


This update provides new information on an advisory that was originally published on March 13th, 2018. The new information includes:

• Revision of advisory format;
• Added Esteban Ruiz (mr_me) of Source Incite as an additional vulnerability reporting source; and
Added new affected versions.

Thursday, December 20, 2018

Senate Passes HR 7327 – Secure Technology Act

Yesterday the Senate passed HR 7327, the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (Secure) Technology Act under the unanimous consent procedure. The GPO still does not have an official version of the bill available; all we have is the House draft.

As I noted earlier, the bill was introduced and passed in the House earlier yesterday. The bill contains three titles:

TITLE I—Department of Homeland Security information security;
TITLE II—Border patrol agent pay reform; and
TITLE III—Federal acquisition supply chain security

The Title I provisions are specifically targeted at DHS information technology systems. While the bill does use a definition of ‘security vulnerability’ from 6 USC 1501 it does not use the control system inclusive definition of ‘information system’ from that section; instead is specifies the IT-limited definition from 44 USC 3502.

Congress is working quickly on a number of bills as the end of the 115th Congress quickly approaches.

Bills Introduced – 12-19-18


Yesterday with both the House and Senate in session, there were 60 bills introduced. I will be watching the following:

HR 7327 To require the Secretary of Homeland Security to establish a security vulnerability disclosure policy, to establish a bug bounty program for the Department of Homeland Security, to amend title 41, United States Code, to provide for Federal acquisition supply chain security, and for other purposes. Rep. Hurd, Will [R-TX-23] 

HR 7328 To reauthorize certain programs under the Public Health Service Act and the Federal Food, Drug, and Cosmetic Act with respect to public health security and all-hazards preparedness and response, to clarify the regulatory framework with respect to certain nonprescription drugs that are marketed without an approved drug application, and for other purposes. Rep. Brooks, Susan W. [R-IN-5] 

HR 7327


HR 7327 was actually passed yesterday in the House by a vote of 362 to 1 (69 representatives – almost evenly from both parties – not voting and likely not present) even without an official text of the bill available from the GPO.

A quick look at a draft posted on the shows IT-centric cybersecurity measures requiring DHS to establish: a researcher vulnerability reporting system for public facing DHS software and systems, a cyber-supply chain security program and a bug bounty program. It also includes vague language requiring DHS to establish a policy of publicly reporting such vulnerabilities. Oddly enough, the ‘other provisions’ includes a Title II, Border Patrol Agent Pay Reform.

None of this is new, but it was combined into one package for a last minute passage in the House under suspension of the rules. There is a chance that the Senate could take this bill up today or tomorrow (if they are still in session) under the unanimous consent process, but the border patrol pay language may prevent that.

HR 7328


No action was taken yesterday on HR 7328, but it was published by the GPO. Some interesting (for emergency response planning) provisions but it does include a somewhat odd cybersecurity provision. Section 703 of the bill would require the Secretary of Health and Human Services to submit to Congress a “strategy for public health preparedness and response to address cybersecurity threats (as defined in section 102 of Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501) [link added]) that present a threat to national health security.” Sharp eyed readers will recall that that definition is based upon a control system inclusive definition of ‘information system’ {§1501(9)}.

The language of §703 is rather vague about what specific types of cyber incidents that strategy should address. It is likely that Brooks (who will not return to Congress next month) was concerned about attacks on medical information systems and perhaps medical devices, but the language is broadly enough crafted to include incidents like those I have recently been addressing in my Future ICS Security News blog (see here for instance).

There is an outside chance that this bill could be considered in the House today or tomorrow (again if they are in session tomorrow), but it is extremely unlikely to go past consideration there. It is not clear if there would be enough bipartisan support for this bill to pass in the House (as it would require a super-majority- 2/3rds vote) if considered under suspension of the rules.


Wednesday, December 19, 2018

7 Advisories and One Update Published - 12-18-18


Yesterday the DHS NCCIC-ICS published seven control system security advisories for products from ABB (3), Advantech, 3S and Siemens. They also published an update of a previously issued advisory for products from Schneider.

M2M Ethernet Advisory


This advisory describes an improper authentication vulnerability in the ABB M2M ETHERNET, network analyzer. It was reported by Maxim Rupp. ABB has provided generic workarounds for this vulnerability. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to upload a malicious language file.

NOTE: I briefly discussed the ABB advisory for this vulnerability in early November.


CMS-770 Advisory


This advisory describes an improper authentication vulnerability in the ABB CMS-770. This vulnerability was reported by Maxim Rupp. ABB has provided generic workarounds to mitigate the vulnerability. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS has reported that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to read sensitive configuration files that may lead to code execution on the device.

NOTE: I briefly discussed the ABB advisory for this vulnerability in early November.

Siemens Advisory


This advisory describes a missing authentication for critical function vulnerability in the Siemens TIM 1531 IRC. Siemens is self-reporting this vulnerability. Siemens has a firmware update to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to perform arbitrary administrative operations.

NOTE: I briefly discussed the Siemens advisory and first update for this vulnerability last Saturday. The first update noted that the originally provided firmware update had been withdrawn and left just a workaround available to mitigate the vulnerability. This NCCIC-ICS advisory is based upon the second Siemens update of their advisory.

CODESYS V3 Advisory 1


This advisory describes two vulnerabilities in the S3 CODESYS V3 products. The vulnerabilities were reported by Alexander Nochvay from Kaspersky Lab. S3 has a new version that mitigates the vulnerabilities. There is no indication that Nochvay has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Use of insufficiently random values - CVE-2018-20025; and
Improper restrictions of communication channel to intended endpoint - CVE-2018-20026

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to  allow a remote attacker to disguise the source of malicious communication packets and also exploit a random values weakness affecting confidentiality and integrity of data stored on the device.

NOTE: There are two S3 advisories that support this NCCIC-ICS advisory (here and here).

CODESYS V3 Advisory 2


This advisory describes an improper access control vulnerability in the S3 CODESYS Control V3 products. The vulnerability was reported by Yury Serdyuk of Kaspersky Lab. S3 has a new version and recommends activating the CODESYS Control online user management and encryption of the online communication. There is no indication that Serdyuk has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow unauthorized access and exfiltration of sensitive data including user credentials.

NOTE: S3 published five other advisories last week when they published the three supporting these two NCCIC-ICS advisories. Interestingly, none of the others have CVE numbers. More on these on Saturday.

Advantech Advisory


This advisory describes an improper input validation vulnerability in the AdvantechWebAccess/SCADA product. The vulnerability was reported by Jacob Baines of Tenable Network Security. Advantech has a new version that mitigates the vulnerability. There is no indication that Baines has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to cause the overflow of a buffer on the stack.

Gate E-2 Advisory


This advisory describes two vulnerabilities in the ABB GATE-E2 Pluto ethernet gateway. The vulnerabilities were reported by Nelson Berg of Applied Risk. ABB is only providing generic workarounds as this product is no longer supported. There is no indication that Berg has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Missing authentication of a critical function - CVE-2018-18995; and
• Cross-site scripting - CVE-2018-18997

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow unrestricted access to the administrative telnet/web interface of the device, enabling attackers to compromise the availability of the device, read or modify registers and settings, or change the device configuration.

NOTE: I briefly discussed the two ABB advisories supporting this NCCIC-ICS advisory last Saturday.

Schneider Update


This update provides additional information on an advisory that was originally published on April 17th, 2018, and updated on May 3rd, 2018. The new information included in the update includes:

• Links to a rewritten Schneider advisory;
• Announcement of a new version that further mitigates the HatMan vulnerabilities;
• The announcement that as of February 19th, 2019, “Schneider Electric will require customers to have a support contract in place to engage with the HatMan malware detection service.”

Monday, December 17, 2018

OMB Approves FAA Small Drone ANPRM


On Friday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an advanced notice of proposed rulemaking (ANPRM) from the DOT’s Federal Aviation Administration (FAA) on “Safe and Secure Operations of Small Unmanned Aircraft Systems”. This ANPRM was sent to OIRA in May. I expect that the rulemaking has a good chance of being published in the Federal Register before the end of the year.

Saturday, December 15, 2018

Public ICS Disclosures – Week of 12-08-18


This week we have five vendor notifications for products from ABB (2), OSIsoft, Eaton and Siemens and seven vendor updates of previously issued notifications from Siemens. It has been a busy week.

ABB Advisories


ABB published two advisories (here and here) for their Pluto E2-Gate, ethernet gateway. The two vulnerabilities were reported by Nelson Berg (Applied Risk). ABB has provided generic workarounds for these vulnerabilities. There is no indication that Berg has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• No access control - CVE-2018-18995; and
Cross-site scripting - CVE-2018-18997

OSIsoft Advisory


OSIsoft published an advisory for a cross-site scripting vulnerability in their PI Vision 2017. This vulnerability was self-reported. OSIsoft has a new version that mitigates the vulnerability.

Eaton Advisory


Eaton published an advisory for undisclosed vulnerabilities in their XP 503 Panel PC. These vulnerabilities are related to the use of Windows Embedded Standard 7 as the operating system. Eaton provides generic workarounds to mitigate the vulnerabilities.

Siemens Advisory


Siemens published an advisory for a missing authentication vulnerability in their TIM 1531 IRC Modules. This vulnerability is self-reported. Siemens provides specific workarounds to mitigate the vulnerability.

Siemens Updates


As part of the swath of 14 advisories and updates issued by Siemens this week there were three updates that were not covered by NCCIC-ICS updates. These were for vulnerabilities addressed in ICS-CERT generic alerts; NCCIC-ICS does not update these alerts for new information from the existing vendor list on the alert, the links on those alerts already take interested parties to this latest information.

SSA-254686, v 1.2 - Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products - Added solution for SIMATIC IPC627D, SIMATIC IPC677D, SIMATIC IPC827D;
SSB-439005, v 1.1 - Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP - Added CVE-13053 and CVE-2018-19591;
SSA-268644, v 1.3 - Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products - Added solution for SIMATIC IPC547G, SIMATIC IPC627D, SIMATIC IPC677D, SIMATIC IPC827D, SINUMERIK PCU 50.5;

There were three additional updates that I suspect that NCCIC-ICS could still pick-up in the coming week, or maybe not since the latest version of  each of these advisories essentially negated the correction made in the previous version.

SSA-181018, v 1.1 and v 1.2 – NCCIC-ICS originally published their advisory for this vulnerability on June 14th, 2018 – v 1.1: Added solution for RUGGEDCOM WiMAX; v 1.2: Update for RUGGEDCOM WiMAX not available, see mitigations; and
SSA-293562, v 2.5 – NCCIC-ICS published their last update on these vulnerabilities (ICSA-17-129-02) on December 11th, 2018 - Corrected download links, update for CP 1243-1 not available, see mitigations; and

Commentary


It is disconcerting to see that only one of the five original vendor notifications listed here this week (OISsoft) contains an actual mitigation for the reported vulnerabilities and only one of the workarounds (Siemens) provided for the other four provides specific actionable information (the port to be blocked). And the ‘advisory’ from Eaton is so generic and lacking in any specific information that it might not as well have been published. And then Siemens was forced to withdraw (without explanation) previously published mitigation measures for three of their advisories/updates. It was a sad week for public ICS disclosures.

Thursday, December 13, 2018

5 Advisories and 2 Updates Published – 12-13-18

Today the DHS NCCIC-ICS published four control system security advisories for products from GE, Geutebruck, Siemens and Schneider and one medical device security advisory for products from Medtronic. They also published an update for a previously published control system security advisory for products from Siemens and a medical device security advisory for products from Philips.

GE Advisory


This advisory describes a path traversal vulnerability in the GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e distributed control systems. The vulnerability was reported by Can Demirel of Biznet Bilisim. GE has a new version that mitigates the vulnerability. There is no indication that Demirel has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to access system data, which could result in escalation of privilege and unauthorized access to the controller.

Geutebruck Advisory


This advisory describes an OS command injection vulnerability in the Geutebruck E2 Camera Series. The vulnerability was reported by Davy Douhine of RandoriSec. Geutebruck has a new version that mitigates the vulnerability. There is no indication that Douhine has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to inject OS commands as root.

Siemens Advisory


This advisory describes two improper input validation vulnerabilities in the Siemens EN100 Ethernet Communication Module and SIPROTEC 5 relays. These vulnerabilities were reported by Victor Nikitin, Vladislav Suchkov, and Ilya Karpov from ScadaX. Siemens has updates for some of the affected products and continues to work on updates for the remaining products.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to cause a denial-of-service condition of the network functionality of the device, compromising the availability of the system.

NOTE: This advisory was published when Siemens published an update last Tuesday. The original Siemens advisory was reported here back in July, 2018.

Schneider Advisory


This advisory describes three vulnerabilities in the Schneider Electric GUIcon. The vulnerabilities were reported by mdm and rgod of 9SG Security Team. Schneider has a new version that mitigates the vulnerabilities. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Type confusion (2) - CVE-2018-7813 and CVE-2018-7815; and
• Stack-based buffer overflow - CVE-2018-7814

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to execute code with privileges within the context of the application.

NOTE: I briefly reported the Schneider advisory last Saturday.

Medtronic Advisory


This advisory describes a missing encryption of sensitive data vulnerability in the Medtronic 9790 CareLink Programmer, 2090 CareLink Programmer, 29901 Encore Programmer; programmers for Medtronic cardiac devices. The vulnerabilities were reported by Researchers Billy Rios and Jonathan Butts of Whitescope LLC. Medtronic has provided generic workarounds for two of the devices and reports that the 9970 is out of support and all use should be discontinued. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an relatively low-skilled attacker with physical access to the devices could exploit the vulnerability to access PHI or PII stored on the device.

Siemens Update

This update provides additional information for an advisory that was originally published on March 29th, 2018 and updated on April 24th, 2018, June 12th, 2018 and again on November 14th, 2018. The update provides updated affected version information and mitigation links for SIMATIC NET PC-Software.

NOTE: Siemens updated their advisory on Tuesday and then again today. This NCCIC-ICS update reflects the corrected information published by Siemens today.

Philips Update


This update provides additional information for an advisory that was originally published on March 27th, 2018 and subsequently updated on December 11th, 2018. The updated information includes revised affected version data.

More Missing Siemens Updates


Siemens published four more updates today; only one of those was addressed by NCCIC-ICS today. It will be a long blog post here on Saturday. 

Bills Introduced – 12-12-18


Yesterday, with both the House and Senate in session, there were 34 bills introduced. Two of the bills may receive further consideration in this blog:

HR 7264 Making further additional continuing appropriations for fiscal year 2019, and for other purposes. Rep. Lowey, Nita M. [D-NY-17]

HR 7283 To provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies, and for other purposes. Rep. Kelly, Robin L. [D-IL-2] 

Lowey is the Ranking Member of the House Appropriations Committee so, while this is not the official spending bill language, it is politically significant. HR 7264 is a full year continuing resolution bill that would fund the remainder of the government at current levels until the end of FY 2019. There are a few other tack-ons, but nothing objectionable.

What is odd about HR 7264 is the timing. With a week still to go on the current CR, this is very early in the negotiating process for the final spending bill. Politically, it would be a fairly painless way out of the spending mess for the dying 115th Congress, but it is unlikely to be acceptable to the President.

HR 7283 could be an interesting cybersecurity bill, but it is way too late in the session for this bill to receive any consideration. Keylly has been working on this bill for a while now, so I expect that we will see this reintroduced in January.

Wednesday, December 12, 2018

CFATS FY 2019 Outreach Plan


Today the DHS Cybersecurity and Infrastructure Security Agency (CISA) published their FY 2019 Chemical Facility Anti-Terrorism Standards (CFATS) Outreach Implementation Plan. This annual report was required by the 2014. This document provides a summary of activities undertaken in 2018 and planned for 2019 to implement the CFATS outreach requirements set forth in 6 USC 622(e)(1) and 6 USC 629. This is a follow-up to the FY 2018 report published earlier this year.

Outreach Program


Very little information in this 48-page pamphlet will be of direct interest to covered CFATS facilities; they are not really the target of this outreach effort. This effort is targeted at potential chemical facilities of interest (P-CFOI, facilities that may hold DHS chemicals of interest) to ensure that those facilities are knowledgeable of the CFATS reporting requirements for facilities that hold COI at or above the screening threshold quantity outlined in Appendix A to 6 CFR 27.

A quick read of the document does provide some interesting factoids.

As part of the roll-out of CSAT 2.0 in the fall of 2016, 3,013 facilities submitted first-time Top Screens, and of those, 335 have been added to the CFATS program as being high-risk facilities; a conversion rate of 11.1%.

In FY 2018, presumably as a result of the on-going outreach program, and additional 1,269 facilities submitted first-time Top Screens with 184 of those being added to the CFATS program; a 14.5% conversion rate.

As part of the FY 2019 outreach program, CISA will be targeting a slightly different set of industries that it believes may be under-represented in Top Screen submissions. This year the shorter list includes (pg 13):

Glass and glass products manufacturing;
• Propane distribution;
• Plastics manufacturing;
• Grain and oilseed milling;
• Frozen food manufacturing;
• Dairy product manufacturing;
• Animal slaughtering and processing;
• Agriculture co-ops; and
• Soap, cleaning compound, and cosmetics manufacturing

LEPC Outreach


One interesting new addition to this outreach program document this year is found in Appendix B, Local Emergency Planning Committee (LEPC) Focused Outreach. This part of the outreach program is not directed at identifying new P-CFOI. Rather it is an attempt to answer a recommendation of the latest Government Accountability Office (GAO) report on the CFATS program about increased sharing of information with Local Emergency Planning Committees (LEPCs) and emergency response personnel.

Appendix B lists the 95 LEPCs receiving specific outreach efforts from the Infrastructure Security Compliance Division (ISCD) of CISA. It notes that these 95 LEPCs in 45 counties represent 870 existing CFATS facilities. Three counties account for the bulk of these LEPCs;
Middlesex County, MA (13), Middlesex County, NJ (25), and Harris County, TX (13).

With the concentration of chemical manufacturing and shipping in Harris County, TX it is heartening to see the substantial number of LEPCs in that country. In contrast, Los Angeles County, CA, with a much higher population and more diverse chemical manufacturing environment has only a single LEPC. This will make ISCD’s outreach effort simpler, but it makes me wonder how effective that LEPC can be.

Two Advisories and Three Updates Published – 12-11-18


Yesterday the DHS NCCIC-ICS published two control system security advisories and updates to two previously published control system advisories; all for products from Siemens. They also published a medical device security advisory for products from Philips.

SINUMERIK Advisory


This advisory describes ten vulnerabilities in the Siemens SINUMERIK Controllers. The vulnerabilities were reported by Anton Kalinin, Danila Parnishchev, Dmitry Sklyar, Gleb Gritsai, Kirill Nesterov, Radu Motspan, and Sergey Sidorov from Kaspersky Lab. Siemens has updates for several of the products and provides work arounds for the others. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The ten reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2018-11457;
• Integer overflow or wraparound - CVE-2018-11458;
• Protection mechanism failure (2) - CVE-2018-11459 and CVE-2018-11460;
• Permission, privileges and access control (2) - CVE-2018-11461 and CVE-2018-11462;
• Stack-based buffer overflow - CVE-2018-11463; and
Uncaught exception (3) - CVE-2018-11464, CVE-2018-11465 and CVE-2018-11466

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to cause denial-of-service conditions, privilege escalation, or allow remote code execution.

SINAMICS Advisory


This advisory describes an improper access control vulnerability in the Siemens SINAMICS PERFECT HARMONY GH180 (based upon a 3rd party vulnerability – McAffee Application and Change Control). The vulnerability was reported by McAffee. Siemens recommends installing a McAffee update to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with physical access could exploit the vulnerability to compromise the HMI, and by extension, the drive system.

PROFINET Update


This update provides new information on an advisory that This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th,  November 28th, 2017January 18th, 2018, January 25th, 2018, January 27th, 2018, March 6th, 2018, May 3rd, 2018 and most recently on November 13th, 2018. The update provides new affected version information and mitigation measures for:

• SIMATIC ET 200MP IM155-5 PN HF; and
• SIRIUS ACT 3SU1 interface module PROFINET

Industrial Products Update


This update provides new information on an advisory that This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th, November 28th, February 27th, 2018, May 3rd, 2018 May 15th, 2018, September 11th, 2018, October 9th, 2018 and most recently on November 13th, 2018. This update provides new mitigation information for SIMATIC ET 200MP IM155-5 PN HF.

Philips Update


This update provides new information on an advisory that was originally published on March 27th, 2018. This update slips the new version expected date from ‘December 2018’ to ‘Q1 of 2019’.

Other Siemens Updates


Yesterday Siemens published a total of three new advisories and seven updates. We may see more from NCCIC-ICS later this week, but some will not be specifically addressed by NCCIC-ICS. I will have further information on the remainder on Saturday.

Saturday, December 8, 2018

Public ICS Disclosures – Week of 12-01-18


This week we have vendor notifications for products from OSIsoft and Schneider Electric and a researcher report of vulnerabilieis in products from Pilz. We also have two exploit publications for products from Rockwell Automation (one may be a 0-day).

OSIsoft Vulnerabilities


In their Release Notes for the latest version of PIProcessbook OSIsoft reports that there are three vulnerabilities being corrected by this release. Those vulnerabilities are related to an included older version of Microsoft’s VBA 6.5. A separate security advisory is being (was?) released to provide further details on these ‘high impact’ vulnerabilities. If it has been released, then my limited (non-customer) access to the OSIsoft site does not provide access to the advisory. The Release Notes do credit the Australian Energy Market Operator (AEMO) with reporting the vulnerabilities.

Schneider Advisory


This advisory describes three vulnerabilities in the Eurotherm by Schneider Electric GUIcon product. The vulnerabilities were reported by mdm and rgod (9SG Security Team). Schneider has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fixes.

The three reported vulnerabilities are:

• Type confusion (2) - CVE-2018-7813 and CVE-2018-7815; and
Stack-based buffer overflow - CVE-2018-7814

Pilz Advisory


Applied Risk has published an advisory for a clear-text storage of sensitive information vulnerability in the Pilz Pilz PNOZmulti Configurator, a safety system tool. This is a coordinated disclosure. Pilz has a new version that mitigates the vulnerability.

Rockwell Exploits


Luca.Chiou published an exploit for an incorrect access control authentication bypass vulnerability in the Rockwell Allen-Bradley PowerMonitor 1000. A CVE has been reserved for this vulnerability (CVE-2018-19616, no further information available) which may indicate that Rockwell has been notified of this vulnerability.

Luca.Chiou published an exploit for a cross-site scripting vulnerability in the Rockwell Allen-Bradley PowerMonitor 1000. No CVE is provided in the exploit documentation. This may indicate that this is a 0-day vulnerability.

Friday, December 7, 2018

New Language for S 1885 Considered – Automated Vehicles


There is an interesting article over on Wired.com about a last minute effort to get S 1885, the American Vision for Safer Transportation through Advancement of Revolutionary Technologies (AV START) Act, through the Senate. Apparently a key to that effort is revised language (not taken from an official Senate site) for that bill with provisions to appease various critics of the bill. That proposed revision includes changes to the cybersecurity provisions in the bill and a new section that would require an additional study of the cybersecurity tools implemented by the automotive industries in support of this new technology.

Changes in Cybersecurity Language


The version of S 1885 reported in the Senate includes three sections that address with varying effectiveness cybersecurity issues.

§14. Cybersecurity.
§16. Cybersecurity consumer education information.
§17. Provision of cybersecurity resource information.

Sections 16 and 17 of the draft currently circulating are essentially identical to those sections in the reported version of the bill. Section 14 is where we see the changes being made.

The most obvious change is found in paragraph (a) of the newly proposed 49 USC 30108, the definition paragraph. All of the definitions in the reported version have been removed and a ‘new definition’ has been provided for the single remaining term ‘cybersecurity incident’. The definition now refers to the term ‘significant cybersecurity incident’ in Presidential Policy Directive 4. The previous definition referred to the term ‘incident’ in 6 USC 148(a)(3). This change restricts covered incidents to those that “result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people”. In practice the last two targets (‘public health and safety of the American people’) are what would most likely apply to the automated driving systems covered in this bill.

The second and final change to §14 is also a subtle change. In paragraph (b) of the new §30108 description of the written ‘cybersecurity plan’ manufacturers will be required to “develop, maintain, and execute” {new §30108(b)(1)”}, the new language for subparagraph (b)(2)(I) requirements to align the cybersecurity plan with requirements of 15 USC 272(e), removes the requirement for the alignment to be supportive of “voluntary efforts by industry and standards-setting organizations to develop and identify consistent standards and guidelines relating to vehicle cybersecurity, consistent, and to the extent appropriate with…”. Instead it replaces that language with the slightly more directive “considering consistency and alignment with” the cybersecurity risk management approach of §272(e).

New Cybersecurity Provision


The substitute language would add a new §24, Cybersecurity Tools Study. This would require DOT to conduct a study and submit a report to Congress within 2 years of the passage of this bill. The report would identify existing “measures, guidelines, or practices used to identify, protect, detect, respond to, or recover from cybersecurity incidents affecting the safety of a passenger motor vehicle” {§24(b)(1)(A)}, and the extent to which those measures are being used. The report would also be required to describe the susceptibility of passenger motor vehicles to cybersecurity incidents and the “degree of cybersecurity risk to the safety of a passenger motor vehicle” {§24(b)(1)(B)(iii)}.

Moving Forward


Two different blogs (here and here) are reporting that Sen. Feinstein (D,CA) and Sen. Markey (D,MA) will object to this draft language if it were offered in the Senate. At this late date, it would almost certainly be offered under the unanimous consent process and the objection of either Feinstein or Markey would kill that consideration.

If this bill were passed in the Senate (and it probably would if there were time for it to be considered under regular order) it would also have to be taken up by the House before the end of the month. While there was bipartisan support for a similar bill (HR 3388) in the House last year, it is unlikely that the House would be able to fit this bill into their limited schedule.


There are some indications that some version of this bill could be added to the final spending bill that is supposed to be considered by December 21st. 2018. The inclusion of such language is unlikely to affect the passage of that bill.

Thursday, December 6, 2018

Three Advisories Published – 12-06-18


Today the DHS NCCIC-ICS published two control system security advisories for products from Rockwell and GE. Additionally they published a medical device security advisory for products from Philips. The Rockwell advisory was originally published on the HSIN ICS-CERT library on November 6, 2018 to allow owner/operators to mitigate the vulnerability before it was made public on the NCCIC-ICS site.

I also think that it is worth mentioning that yesterday Siemens announced changes in the way they were publishing security advisories for their products.

Rockwell Advisory


This advisory describes a missing authentication for critical function vulnerability in the Rockwell MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules. The vulnerability was reported by David Noren. Rockwell reports that a newer firmware version mitigates the vulnerability. There is no indication that Noren was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated attacker to modify system settings and cause a loss of communication between the device and the system.

I briefly discussed the Rockwell notice for this vulnerability in a post on November 10th, 2018.

GE Advisory


This advisory describes an XXE vulnerability in the GE Proficy GDS service. The vulnerability was reported by Vladimir Dashchenko of Kaspersky Lab. GE reports that a newer version mitigates the vulnerability. There is no indication that Dashchenko has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to initiate an OPC UA session and retrieve an arbitrary file.

The GE security notification for this vulnerability notes that this is an underlying OPC issue that was addressed in an OPC security bulletin.

Philips Advisory


This advisory describes an inadequate encryption strength vulnerability in the Philips Philips HealthSuite Health Android App. The vulnerability was reported by an unnamed (by Philips) security researcher. Philips has provided a generic workaround pending a release of a new version next quarter.

NCCIC-ICS reports that a relatively low-skilled attacker with physical access to the device to impact confidentiality and integrity of the product.

Siemens Announcement


Yesterday Siemens announced on TWITTER that they would be block publishing advisories for security vulnerabilities on the 2nd Tuesday of every month. This policy has obviously been in place for a couple of months (see here for example). They did note that: “In case we have reasons to publish advisories out of band (e.g. due to criticality), we will still do so.” We have also recently seen that.

There are some obvious plusses and minuses to this policy. On a personal note, it makes for some long blog post for these 2nd Tuesday releases. More realistically it helps owners with the making of decisions about patching when all of the advisories for a product release at the same time. Unfortunately, it may allow for longer effective 0-day openings when an attacker discovers a vulnerability that has been ‘fixed’ by Siemens, but the advisory has not been released. This is where we have to rely on Siemens’ judgement about criticality, but we have always had to do that anyway.

Two Advisories Published – 12-04-18


Earlier this week the DHS NCCIC-ICS published two control system security advisories for products from SpiderControl and Omron.

SpiderControl Advisory


This advisory describes a cross-site scripting vulnerability in the SpiderControl SCADA WebServer. The vulnerability was reported by Ismail Bulbul. SpiderControl has a new version that mitigates the vulnerability. There is no indication that Bulbul has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to execute JavaScript on the victim’s browser.

Omron Advisory


This advisory describes two vulnerabilities in the Omron CX-One application. The vulnerability was reported by Esteban Ruiz (mr_me) of Source Incite via the Zero Day Initiative. Omron has an update that mitigates the vulnerability. There are no indications that Ruiz has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-18993; and
Use after free - CVE-2018-18989

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to execute code under the privileges of the application.

ODD NOTE: This post was actually written on Tuesday night and I was sure that it had been posted, but it is surely not on the blog. I guess I am getting senile in my middle age.


Tuesday, December 4, 2018

ISCD Publishes CFATS Update – 12-04-18


Today the DHS Infrastructure Security Compliance Division published the latest data on the Chemical Facility Anti-Terrorism Standards (CFATS) program implementation. Facilities with approved site security plans are now 81.2% of the 3,355 facilities covered by the program, a continued increase, while the total number of covered facilities continues its slow decline.

The first table below shows the number of activities that ISCD Chemical Security Inspectors conducted in support of the CFATS program.

CFATS Activities
Sep- 18
Oct-18
Nov-18
Authorization Inspections to Date
3854
3875
3886
Authorization Inspections Month
35
25
14
Compliance Inspections to Date
3891
3995
4135
Compliance Inspections Month
71
106
143
Compliance Assistance Visits to Date
4897
5008
5065
Compliance Assistance Visits Month
126
121
53

Compliance inspections continues to be the major focus of the CSI force. The 143 inspections conducted this month is the highest number since June 2017 when ISCD resumed reporting on the CSAT 2.0 based results.

The next table shows the status of the facilities covered by the CFATS program.

CFATS Facility Status
Sep-18
Oct-18
Nov-18
Tiered
211
205
178
Authorized
493
456
454
Approved
2665
2701
2723
Total
3369
3362
3355

We see the expected decline in the number of Tiered and Authorized facilities as the percentage of facilities with approved site security plans increases.

 
/* Use this with templates/template-twocol.html */