1 Update Published – 1-11-22
Today, CISA’s NCCIC-ICS published an update for a control system security advisory for products from Mitsubishi. I also look at the current state of the response to the OT:ICEFALL report.
Mitsubishi Update
This update provides additional information on an advisory that was originally published on August 9th, 2022 and most recently updated on August 30th, 2022. The new information includes adding NZ2MHG-TSNT8F2 and RD81OPC96 to the lists of affected and fixed products.
OT:ICEFALL Update
Back in June Forescout’s Vedere Labs published their report on OT:ICEFALL. Readers will likely remember that the report identified 56 vulnerabilities over control system products from nine different vendors. CISA’s NCCIC-ICS did not publish an alert when Forescout’s report was published (even though it contained proof-of-concept code); instead, they approached the individual vendors and attempted to coordinate disclosure on the individual product lines.
Starting on June 21st CISA began issuing what has been to date 18 advisories with the latest one being issued on August 30th. While that covers all of the vendors listed in the Vedere Labs report, it does not address all of the vulnerabilities, nor have I found vendor advisories that cover the 12 vulnerabilities not yet covered by NCCIC-ICS.
Two vendors are responsible for those 12 vulnerabilities: Emerson and Yokogawa. Yokogawa is ‘responsible’ for one of the vulnerabilities in their Stardom product. Both Yokogawa and CISA address the two other reported vulnerabilities in that product, but there is no reporting for FSCT-2022-0039. That vulnerability was not assigned a CVE, so there may be some disagreement between Yokogawa and Forescout about the legitimacy of the vulnerability.
The table below lists the eleven vulnerabilities that have not yet been reported by CISA (nor have I been able to find any Emerson advisories for these vulnerabilities).
Trying to track these vulnerabilities by their CVE numbers is not currently possible. While the CVE’s have been reserved, there is no public record for these CVE’s on CVE.MITRE.org or NVD.NIST.gov.
Thanks for keeping up the great analysis on OT:ICEFALL, I am watching it keenly as I think this is just the tip of the iceberg with respect to the issues that were found.