Short Takes – 4-15-24

Thermoset plastic made from wood waste catalyzes its own degradation. CEN.ACS.org article. Pull quote: “lenty of researchers have tried making degradable thermoset plastics by incorporating functional groups whose bonds can be severed by a catalyst or other external trigger. Barta and coworkers designed their new biobased epoxy-amine polymer similarly, with easily cleaved ester groups in the polymer backbone. But the polymer turned out not to need an external catalyst to break it down. “The fact that it catalyzes its own degradation was definitely serendipity,” Barta says. “We didn’t hope for such a wonderful effect.””

Ukrainian Hackers Hijacked 87,000 Sensors to Shut down Sewage System. A tad bit of click-bait in the headline. CybersecurityNes.com article. Pull quote: “The malware has begun to flood communication protocols such as RS485/MBus, sending random commands [emphasis added] to the compromised control and sensory systems.” ‘Random commands’ as opposed to system knowledge… not as effective but easier to pull off.

Open Meeting of the Internet of Things Advisory Board. Federal Register NIST meeting notice. Pull quote: “The agenda for the May 14-15, 2024 meeting is expected to focus on finalizing the IoT Advisory Board's report for the IoT Federal Working Group and the recommendations and findings in that report.”

The Space Force Is About to Play Space Wars in Earth Orbit. Gizmodo.com article. Pull quote: “Rocket Lab will build and launch its own spacecraft using the company’s Electron rocket, while True Anomaly will build a rendezvous and proximity operation-capable spacecraft, as well as provide a command and control center. The mission is scheduled for launch in 2025, and each company will be given its own launch and mission profiles at the time.”

Rocket Lab Wins Space Force Contract -- at Twice the Usual Price. Fool.com article. Unusual look at Space Force contract. Pull quote: “For the record, when SpaceX began reusing rockets in 2017, the company calculated the cost savings at approximately 40% -- 40 full percentage points of additional gross margin on its launches. Assuming Rocket Lab succeeds in this endeavor, it could be enough to turn Rocket Lab's launch business profitable when combined with more lucrative U.S. government launch contracts.”

A Glimpse Into the CISA KEV. Jericho.blog blog post. Pull quote: “Before this talk, I certainly had some criticism of the KEV, but this talk really opened my eyes to some of the details on how they operate and why the KEV seemingly fell short. I think after the talk and thinking on it more, the big thing that stands out to me is the KEV is one thing while the industry thinks it is another thing. This talk bridged that gap for me. Now, my criticism is leveled more at organizations and vendors that have evidence of exploitation and don’t share it with CISA, so that the KEV can be updated more rapidly, and be more thorough.”

Cybersecurity and FISA §702 Reauthorization

Last Friday, during the consideration of HR 7888, the Reforming Intelligence and Securing America Act, the House took up Amendment #1 offered under H Rept 118-456 (pg 5). That amendment would have provided for a warrant requirement for reviewing/using information on US persons obtained under §702 of the Foreign Intelligence Surveillance Act. One of the provisions of that amendment was an exemption from the added warrant requirement for cybersecurity purposes. Amendment #1 was defeated by a vote of 212 to 212 (tie votes in the House do not pass) with significant vote splits in both parties.

The amendment would revise the proposed language for §702(f)(2) {original language at 50 USC 1881a(f)(2)} found in §3(a) (pgs 14-15) of the version of HR 7888 being considered. The Amendment #1 language included a subparagraph (B) that provided for exceptions for the need of a warrant. Claus (IV) of that subparagraph provides for an exemption if the “the query uses a known cybersecurity threat signature as a query term”. The exemption would also require that:

• The query is conducted, and the results of the query are used, for the sole purpose of identifying targeted recipients of malicious software and preventing or mitigating harm from such malicious software,

• No additional contents of communications acquired as a result of the query are accessed or reviewed, and

• Each such query is reported to the Foreign Intelligence Surveillance Court.

Obviously, the House was evenly divided about the need to add a warrant requirement to the FISA §702 reauthorization, so there continues to be significant concerns about how the §702 data is being used in practice. It seems to me that the proposed cybersecurity exemption to the warrant requirements was an honest attempt to mitigate some legitimate anti-warrant concerns. Because this was buried in a nine-page amendment, I am not sure that the exception was specifically considered by any member voting on the amendment. Perhaps with more time to consider and debate such provisions this could have swayed one or more votes to accept the general warrant requirements.

Review – Public ICS Disclosures – Week of 4-6-24 – Part 2

For part two we have three additional vendor disclosures from B&R, Schneider and Welotec. We also have 13 vendor updates from HP (2) and Siemens (11). Finally, there are four researcher reports for vulnerabilities in products from TP-Link.

Advisories

B&R Advisory - B&R published an advisory that discusses four vulnerabilities (one with known exploit) in their APC4100, APC910, and PPC900 products.

Schneider Advisory - Schneider published an advisory that discusses an improper privilege management vulnerability in their Easergy Studio product.

Welotec Advisory - CERT-VDE published an advisory that describes two vulnerabilities in the Welotec TK500v1 router series.

Updates

HP Update #1 - HP published an update for their PC Bios advisory that was originally published on March 12^th, 2024.

HP Update #2 - HP published an update for their March 2024 BIOS security advisory that was originally published on March 13^th, 2024.

Siemens Update #1 - Siemens published an update for their FortiGate NGFW advisory that was originally published on March 12^th, 2024.

Siemens Update #2 - Siemens published an update for their SIMATIC S7-1500 BIOS advisory that was originally published on June 16^th, 2023 and most recently updated on December 12^th, 2023.

Siemens Update #3 - Siemens published an update for their GNU/Linux subsystem advisory that was originally published on June 13^th, 2023 and most recently updated on February 13^th, 2024.

Siemens Update #4 - Siemens published an update for their SIMATIC WinCC advisory that was originally published on February 13^th, 2024.

Siemens Update #5 - Siemens published an update for their Scalance W1750D advisory that was originally published on February 13^th, 2024.

Siemens Update #6 - Siemens published an update for their OpenSSL advisory that was originally published on June 14^th, 2022 and most recently updated on January 9^th, 2024.

Siemens Update #7 - Siemens published an update for their OPC UA Implementation advisory was originally published on September 12^th, 2023 and most recently updated on February 13^th, 2024.

Siemens Update #8 – Siemens published an update for their OPC Foundation advisory that was originally published on April 11th, 2023 and most recently updated on November 14^th, 2023.

Siemens Update # 9 - Siemens published an update for their SCALANCE W700 advisory that was originally published on November 14^th, 2023.

Siemens Update #10 - Siemens published an update for their SIMATIC S7-1500 advisory that was or published on December 12th, 2023 and most recently updated on March 12^th, 2024.

Siemens Update #11 - Siemens published an update for their OpenSSL Vulnerabilities advisory that was originally published on March 14^th, 2023 and most recently updated on October 10^th, 2023.

Researcher Reports

TP-Link Reports - Talos published four reports describing twelve vulnerabilities in the TP-Link AC1350 Wireless MU-MIMO Gigabit Access Point.

 

For more information on these disclosures, including links to third parties advisories and summaries of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-fd8 - subscription required.

State Actions on CFATS – 4-11-24

I do not normally cover State level legislative efforts, as each State legislature has their own peculiar ways of dealing with legislation, but today I was pointed at an article on NebraskaExaminer.com that includes a discussion about an unusual legislative effort to deal with the fallout from Senate inaction on HR 4470, the CFATS reauthorization bill. Back in January Nebraska State Legislator Bostar introduced LB1048. The bill would require a CFATS covered facility to participate in CISA’s ChemLock program until such time as the CFATS program is reauthorized.

The ChemLock program is a voluntary program that CISA developed to provide chemical security assistance to chemical facilities that were not covered by the CFATS program. While there are a number of important features to that program, it is by no means a substitute for CISA’s oversight of the CFATS program. Still, I can understand Bostar’s concern about the Senate’s inaction on the CFATS reauthorization.

OMB Approves EPA PFOA/PFOS CERCLA Final Rule

Yesterday, OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the Environmental Protection Agency on “Designating PFOA and PFOS as CERCLA Hazardous Substances”. The notice of proposed rulemaking for this action was published on September 6^th, 2022.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“Under the Comprehensive Environmental Response, Compensation, and Liability Act of 1980, as amended (“CERCLA” or “Superfund”), the Environmental Protection Agency (EPA or the Agency) is moving to finalize the designation of perfluorooctanoic acid (PFOA) and perfluoro octane sulfonic acid (PFOS), including their salts and structural isomers, as hazardous substances. CERCLA authorizes the Administrator to promulgate regulations designating as hazardous substances such elements, compounds, mixtures, solutions, and substances which, when released into the environment, may present substantial danger to the public health or welfare or the environment. Such a designation would ultimately facilitate cleanup of contaminated sites and reduce human exposure to these “forever” chemicals.”

We could see this final rule published in the Federal Register in the next week or two. I do not expect that I will cover this rulemaking beyond announcing it in the appropriate Short Takes post when it is published.

Chemical Incident Reporting – Week of 4-6-24

NOTE: See here for series background.

San Mateo, CA – 4-4-24

Local News Reports: Here, here, and here.

Pool supply pickup truck overturned, spilling 24-gallons of chlorine bleach. No injuries.

Not CSB reportable; a transportation incident, not a fixed site issue. 

Review - Public ICS Disclosures – Week of 4-6-24 – Part 1

This week for Part 1 we have 20 vendor disclosures from B&R, Broadcom, FortiGuard (3), HP, HPE (3), Insyde, Palo Alto Networks (8), Pepperl+Fuchs, Philips, and Rockwell.

Advisories

B&R Advisory - B&R published an advisory that discusses five vulnerabilities (one with known exploit) in their APROL product.

Broadcom Advisory - Broadcom published an advisory that discusses the XZ Utils Data vulnerability.

FortiGuard Advisory #1 - FortiGuard published an advisory that describes an exposure of sensitive information to unauthorized actor vulnerability in their FortiOS product.

FortiGuard Advisory #2 - FortiGuard published an advisory that describes a use of externally controlled format string vulnerability in their FortiOS product.

FortiGuard Advisory #3 - FortiGuard published an advisory that describes an insufficiently protected credentials vulnerability in their FortiOS and FortiProxy products.

HP Advisory - HP published an advisory that discusses 84 vulnerabilities in their ThinPro products. These are third-party vulnerabilities.

HPE Advisory #1 - HPE published an advisory that describes a cross-site request forgery in their OfficeConnect switches.

HPE Advisory #2 - HPE published an advisory that describes an authentication bypass vulnerability in their FlexFabric and FlexNetwork switches.

HPE Advisory #3 - HPE published an advisory that discusses eleven vulnerabilities {one listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog} in their Unified Correlation Analyzer.

Insyde Advisory - Insyde published an advisory that describes an out-of-bounds write vulnerability in their PnpSmm application.

Palo Alto Network Advisory #1 - Palo Alto Networks published an advisory that discusses eleven vulnerabilities (one with known exploit) in their PAN-OS product.

Palo Alto Networks Advisory #2 - Palo Alto Networks published an advisory that describes an incorrect authorization vulnerability in their GlobalProtect SSL VPN.

Palo Alto Networks Advisory #3 - Palo Alto Networks published an advisory that describes an inadequate encryption strength vulnerability in their PAN-OS product.

Palo Alto Network Advisory #4 - Palo Alto Networks published an advisory that describes an interpretation conflict vulnerability in PAN-OS product.

Palo Alto Networks Advisory #5 - Palo Alto Networks published an advisory that describes an interpretation conflict vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #6 - Palo Alto Networks published an advisory that describes an allocation of resources without limit or throttling vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #7 - Palo Alto Networks published an advisory that describes a NULL pointer dereference vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #8 - Palo Alto Networks published an advisory that describes an improper ownership management vulnerability in their PAN OS product.

Pepperl+Fuchs Advisory - CERT-VDE published an advisory that discusses eight vulnerabilities (including three with known exploits) in the Pepperl+Fuchs ICES2 and ICES3 products.

Philips Advisory - Philips published an advisory that discusses the Terrapin Attack vulnerability.

Rockwell Advisory - Rockwell published an advisory that describes an invalid header value vulnerability in their ControlLogix and GuardLogix products.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-3bc - subscription required.