CFSN Detailed Analysis

Share this post

CFSN Detailed Analysis
Problems with Vulnerability Information Sharing – 8-14-22
Copy link
Facebook
Email
Notes
More

Problems with Vulnerability Information Sharing – 8-14-22

Patrick Coyle
Aug 15, 2022

Share this post

CFSN Detailed Analysis
Problems with Vulnerability Information Sharing – 8-14-22
Copy link
Facebook
Email
Notes
More
Share

For a couple of years now, I have been doing a weekly blog post (more frequently lately, a multi-part blog post) looking briefly at industrial control (and medical device) security vulnerability disclosures by vendors and researchers. Generally, I try to keep this separate from my highlighting vulnerabilities disclosures by CISA’s NCCIC-ICS, if for no other reason than to keep down the amount of time I spend on the post. Recently, however, I have been seeing an increasing problem with the information sharing that goes into keeping the NCCIC-ICS advisories up to date. Today the problem became egregious enough that I need to look at it in some depth.

NOTE: The update numbers being used here for convenience sake come from today’s post on Chemical Facility Security News they do not have anything to do with the issue, they  are being used to help me keep the data straight.

Vendor Updates Not Being Covered

I saw six instances where a vendor, both well known to coordinate with NCCIC-ICS, published an update for an advisory that they had issued, but NCCIC-ICS did not publish an update for their related advisory. Here is the data:

  • BD Update #1 - BD published an update for their BD Alaris™ 8015 PC Unit advisory that was originally published on November 12th, 2022, and most recently updated on March 15th, 2021. NOTE: NCCIC-ICS did not update their advisory (ICSMA-20-317-01) for this information.

  • BD Update #3 - BD published an update for their Alaris PC Unit PCU model 8015 advisory that was originally published on February 7th, 2017 and most recently updated on March 16th, 2021. NOTE: NCCIC-ICS did not update their advisory (ICSMA-17-017-02) for this information.

  • Siemens Update #3 - Siemens published an update for their RUGGEDCOM advisory that was originally published on March 10th, 2022 and most recently updated on June 14th, 2022. NOTE: NCCIC-ICS did not update their advisory (ICSA-22-069-01) for this information.

  • Siemens Update #6 - Siemens published an update for their OpenSSL advisory that was originally published on June 16th, 2022 and most recently updated on July 12th, 2022. NOTE: NCCIC-ICS did not update their advisory (ICSA-22-167-14) for this information.

  • Siemens Update #11 - Siemens published an update for their SIMATIC advisory that was originally published on July 12th, 2022. NCCIC-ICS did not update their advisory (ICSA-22-195-15) for this information.

  • Siemens Update #24 - Siemens published an update for their SIMATIC S7-400 advisory that was originally published on November 13th, 2018, and most recently updated on February 10th, 2020 NOTE: NCCIC-ICS did not update their advisory (ICSA-18-317-02) for this information.

I have no way of knowing where the communications breakdown is for these six instances. It is obvious that the vendor must initiate the communication with NCCIC-ICS when they make changes to their products or services that impact the vulnerabilities reported through CISA. Likewise, if NCCIC-ICS is notified, they are then responsible for recognizing that changes have to be made to their advisories, and to make the changes. And to be fair, the vulnerability disclosure process is getting to be a lot more voluminous, and I am not sure that the staffing at CISA is keeping up with the increasing size of the task.

In some of the cases described above there might have been a decision by NCCIC-ICS to prioritize their communications efforts by not updating for less consequential changes in the vendor advisories. For example, the changes reported below in my related CFSN Detailed Analysis post:

  • For Siemens #3 – “The new information includes reflecting a more accurate fix status in advisory.”

  • For Siemens #11 – “The new information includes clarifying that eaSie Core Package is affected.”

  • For Siemens #24 – “The new information includes announcing that no fixes were planned for SIMATIC S7-400 PN/DP V6 and below CPU family, and for SIMATIC S7-400 H V4.5 and below CPU family.”

The Siemens #24 information looks less important when you note that the initial advisory was published on November 13th, 2018, and most recently updated on February 10th, 2020. Interested parties would be excused for already assuming that no fix was forthcoming.

This certainly seems to me to be a topic that should be looked at a bit more closely than I have access for. This might be a good topic for a GAO report or and IG investigation to see if CISA has that requisite tools and authority to ensure that the vulnerability disclosure process runs smoothly.

CISA Updates Not Being Reported

This month there were an unusually large number of vendor updates from Siemens. CISA listed 14 of their advisories on the ICS-CERT Advisories page that were affected by Siemens updates. And Siemens listed an additional 24 of their advisories on their website as being updated. But, going back and looking at those 24 Siemens updates I found that five of them had been addressed with updates of CISA advisories, but were not listed on the ICS-CERT Advisories page:

  • Siemens Update #4 - Siemens published an update for their Libcurl advisory that was originally published on May 12th, 2022, and most recently updated on June 14th, 2022. NOTE: NCCIC-ICS did update their advisory (ICSA-22-132-13) but did not list the update on their advisory page, so I did not cover it on Friday.

  • Siemens Update #5 - Siemens published an update for their SIMATIC WinCC advisory that was originally published on February 10th, 2022 and most recently updated on May 10th, 2022. NOTE: NCCIC-ICS did update their advisory (ICSA-22-041-02) but did not list the update on their advisory page, so I did not cover it on Friday.

  • Siemens Update #8 - Siemens published an update for their SIMATIC advisory that was originally published on July 13th, 2021 and most recently updated on July 14th, 2022 NOTE: NCCIC-ICS did update their advisory (ICSA-21-194-06) but did not list the update on their advisory page, so I did not cover it on Friday.

  • Siemens Update #16 - Siemens published an update for their PROFINET advisory that was originally published on April 14th, 2022 and most recently updated on July 12th, 2022. NOTE: NCCIC-ICS did update their advisory (ICSA-22-104-06) but did not list the update on their advisory page, so I did not cover it on Friday.

  • Siemens Update #23 - Siemens published an update for their SIMATIC S7-1200 advisory that was originally published on December 10th, 2019, and most recently updated on March 12th, 2020. NOTE: NCCIC-ICS did update their advisory (ICSA-19-344-06) but did not list the update on their advisory page, so I did not cover it on Friday.

Now, I will be the first to admit that I know first-hand how hard it is to keep track of all of these advisories and updates on the 2nd Tuesday week. I have found myself missing moving information from by CFSN Detailed Analysis page to the digest form I post on Chemical Facility Security News. I know I need to do a better job, but I am a part-timer with limited resources and no one to conduct backstop checks. I would like to think that CISA has more resources available to ensure that their product quality is better than mine.

Duplicate Advisories

Earlier this week, I saw something even odder happen, CISA issued a new NCCIC-ICS advisory for a of vulnerability that they had reported upon earlier for the same product. Here is how I reported it on CFSN Detailed Analysis

SICAM Advisory #1

This advisory describes a hard-coded credentials vulnerability in the Siemens SICAM TOOLBOX II control and monitoring system. The vulnerability was reported by Matan Dobrushin and Eran Jacob from OTORIO. Siemens has a hot fix available that disables the affected port. According to the Siemens advisory no other fix is planned.

NCCIC-ICS reported that a relatively low-skilled attacker could remotely exploit the vulnerability to result in full access to the database.

NOTE: NCCIC-ICS published a nearly identical advisory (ICSA-22-041-05) in February with both based upon the same Siemens advisory (SSA-669737). The earlier NCCIC-ICS advisory was updated on March 10th, 2022. Today’s advisory is based upon the latest update from Siemens.

Again, I understand how difficult it can be to keep track of all of the vulnerability reports that CISA receives, and it just keeps getting worse. But let’s dig into this a little bit deeper. Going to the NVD.NIST.gov site for the vulnerability reported here (CVE-2021-45106), there is only one link reported by NIST, the link to the Siemens advisory. If there had been a link to the earlier CISA advisory on that page, I suspect that it would have been harder for someone at NCCIC-ICS to miss that advisory and have to start a new one.

It is becoming increasing rare to see a CISA link on CVE pages on the NVD.NIST.gov website. Again, I am not sure where the information flow is breaking down, but if this information sharing process about known vulnerabilities is to really be effective, CISA and NIST both have to have the resources, processes and tools to make it work. Something is lacking here, and someone needs to get to the root of the problem before it gets completely out of hand.

NOTE: This issue is so important in my mind, that I am making this a publicly available post.

CFSN Detailed Analysis is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

Share this post

CFSN Detailed Analysis
Problems with Vulnerability Information Sharing – 8-14-22
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 Patrick Coyle
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More