1 Update Published – 6-7-22
Today, CISA’s NCCIC-ICS updated an advisory for products from Mitsubishi. CISA also updated their Known Exploited Vulnerabilities (KEV) web site. I also include a Down the Rabbit hole discussion about reporting control system vulnerabilities to CISA.
Mitsubishi Update
This update provides additional information on an advisory that was originally published on November 30th, 2021 and most recently updated on April 26th, 2022. The new information includes adding R08/16/32/120PSFCPU, and R16/32/64MTCPU to the list of fixed products.
KEV Page Update
CISA announced today that they had updated their KEV website, providing information on the criteria and process used to add known exploited vulnerabilities to the KEV catalog. CISA explains the three threshold criteria for selecting a vulnerability for listing in the KEV. Those three criteria are:
The vulnerability has an assigned Common Vulnerabilities and Exposures (CVE) ID.
There is reliable evidence that the vulnerability has been actively exploited in the wild.
There is a clear remediation action for the vulnerability, such as a vendor-provided update.
Down the Rabbit Hole
Back when CISA updated their ICS landing page, I discussed (subscription required) the outline of the process for submitting control system vulnerability reports to CISA via CMU Software Engineering Institute’s Vulnerability Information and Coordination Environment (VINCE) page for reporting vulnerabilities. At that time I noted that:
“It is not yet clear if the information shared with CERT-CC via this page will be primarily addressed in advisories published by NCCIC-ICS or advisories published by CERT-CC. The link from the CISA page does automatically check the “Significant ICS/OT impact?” box a third of the way down the page, so that may bifurcate the vulnerability reporting and coordinating responsibilities. Or CISA may just be contracting those responsibilities to CERT-CC. It is too early to tell, and this new landing page is not explaining much.”
Today, following a convoluted set of links from KEV website (through the new CVE Beta website no less) I found a page that I have seen before, the CISA Coordinated Vulnerability Disclosure (CVD) Process page. CISA does not date most of their web pages so it not possible to tell if this page is concurrent with the reporting page I discussed in March. In any case the CVD page still tells folks to submit vulnerability reports via email to report@cisa.gov.
Personally, I like the CERT-CC methodology as it helps ensure that the information is complete.