Author: Admin @CloudCentric

View CSAF

Summary

Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication, or resetting the device password.

The following versions of ZLAN Information Technology Co. ZLAN5143D are affected:

• ZLAN5143D v1.600 (CVE-2026-25084, CVE-2026-24789)

Background

• Critical Infrastructure Sectors: Critical Manufacturing
• Countries/Areas Deployed: Worldwide
• Company Headquarters Location: China

Vulnerabilities

Acknowledgments

• Shorabh Karir and Deepak Singh of KPMG reported these vulnerabilities to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

Revision History

• Initial Release Date: 2026-02-10

Legal Notice and Terms of Use

View CSAF

Summary

Successful exploitation of this vulnerability could result in an unauthorized access to the proxy server.

The following versions of AVEVA PI to CONNECT Agent are affected:

• PI to CONNECT Agent <=v2.4.2520 (CVE-2026-1495)

Background

• Critical Infrastructure Sectors: Critical Manufacturing
• Countries/Areas Deployed: Worldwide
• Company Headquarters Location: United Kingdom

Vulnerabilities

Acknowledgments

• AVEVA reported this vulnerability to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

Revision History

• Initial Release Date: 2026-02-10

Legal Notice and Terms of Use

Overview

This advisory is a follow-up to ICS-ALERT-10-260-01 SCADA Engine BACnet OPC Client Buffer Overflow, which was published on the ICS-CERT Web site on September 17, 2010.

A buffer overflow vulnerability has been reportedSecunia Advisory SA41466, http://secunia.com/advisories/41466/, website last accessed September 21, 2010 in SCADA Engine’s BACnet OPC Client. Using a specially crafted malicious file, this vulnerability could allow an attacker to crash the application and execute arbitrary code. A software update is available that resolves this vulnerability.

ICS-CERT is aware that exploit code for this vulnerability is publicly available.http://packetstormsecurity.org/1009-exploits/bacnet-overflow.py.txt, website last accessed September 21, 2010  However, ICS-CERT has not received any reports of the vulnerability being exploited in the wild.

Affected Products

ICS-CERT has confirmed the vulnerability in Version 1.0.24. Older versions may also be affected.

SCADA Engine has released a software update, Version 1.0.25, which ICS-CERT has confirmed effectively mitigates the vulnerability.

Impact

User interaction is required to successfully exploit this vulnerability. If the vulnerability is exploited successfully, arbitrary execution of code is possible.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.

Background

SCADA Engine’s BACnet OPC client connects an OPC server to any BACnet compliant device. The client supports OPC Data Access Specification 1.0 and 2.0 and OPC Alarms and Events Specification 1.0. The Client supports the DS-RP-A, DS-RPM-A, DS-WP-A, DS-WPM-A, DS-COV-A, DS-COVU-A, AE-N-A, AE-ACK-A, AE-ASUM-A, AE-ESUM-A, DM-DDB-A and SCHED-A BACnet Interoperability Building Blocks (BIBBs).BACnet OPC Client, http://www.scadaengine.com/software7.html, website last accessed September 21, 2010

The BACnet OPC Client is supported on the following operating systems: Windows NT 4.0, Windows 2000, and Windows XP.

The BACnet protocol was developed by the American Society of Heating, Refrigerating, and Air-Conditioning Engineers (ASHRAE) and is generally used for building automation and control systems. Building automation products are used to control all aspects of a building, such as:

• Heating, cooling, and ventilation
• Chillers, boilers
• Air handling units
• Security, lighting
• Miscellaneous equipment.BACnet Software for Building Automation, http://www.scadaengine.com, website last accessed September 21, 2010

Vulnerability Characterization

Vulnerability Overview

Security researcher Jeremy Brown discovered a stack-based buffer overflow in SCADA Engine’s BACnet OPC Client. A boundary error exists in WTclient.dll when preparing a status log message. This can be exploited to create a buffer overflow when the client opens a specially crafted malicious file (e.g., *.csv file).

Vulnerability Details

Exploitability

Successful exploitation of this vulnerability results in arbitrary code execution potentially leading to a system compromise. A successful exploit requires that a user open a specially crafted file.

Existence of Exploit

Exploit code for this vulnerability is publicly available.http://packetstormsecurity.org/1009-exploits/bacnet-overflow.py.txt, website last accessed September 21, 2010

Difficulty

Social engineering is required to convince the user to open the malicious file. This increases the difficulty of a successful exploit.

Mitigation

A software update is available and can be downloaded from the SCADA Engine download page.SCADA Engine Download Page, http://www.scadaengine.com/downloads.html, website last accessed September 21, 2010

Until the update is applied, ICS-CERT recommends industrial control systems owners and operators take extreme caution when opening unexpected or untrusted files, especially *.csv files.

Organizations should follow their established internal procedures if any suspected malicious activity is observed and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.

The Control Systems Security Program also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

1. Do not click web links or open unsolicited attachments in e-mail messages.
2. Refer to Recognizing and Avoiding Email Scams for more information on avoiding e-mail scams
3. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

Overview

In July, ICS-CERT published an advisory and a series of updates regarding the Stuxnet malware entitled “ICSA-10-201 USB Malware Targeting Siemens Control Software.” Since then, ICS-CERT has continued analysis of the Stuxnet malware in an effort to determine more about its capabilities and intent. As the analysis has progressed, understanding of the malware sophistication has continued to increase.

Stuxnet makes use of a previously unpatched Windows vulnerability and a digitally signed kernel-mode rootkit. There have been two digital certificates used to sign this rootkit. The original certificate was revoked. Subsequently, a second variant was discovered in which the same rootkit was signed with a different key, which has also been revoked. With approximately 4,000 functions, Stuxnet contains as much code as some commercial software products. The complex code is object oriented and employs many programming techniques that demonstrate advanced knowledge in many areas, including the Windows operating system, Microsoft SQL Server, Siemens software, and Siemens PLCs. The malware also employs many advanced anti-analysis techniques that make reverse engineering difficult and time consuming.

ICS-CERT has identified that while USB drives appear to be a primary infection mechanism, Stuxnet can also infect systems through network shares and SQL databases. The Stuxnet malware stores dropped files in many locations on a target system. The infection mechanism is complex, and the exact files that may be dropped will vary depending on the system it is infecting. After infecting a system, the malware gathers extensive data from MS SQL server, Windows registry, and application software.

Once the malware has installed itself on a system, it employs many evasive techniques, including bypassing antivirus software, advanced process injection, hooking useful functions by kernel-mode rootkits, and the quick removal of temporary files. ICS-CERT is continuing to reverse engineer and analyze this malware. Because of the malware’s complexity, this work is expected to take some time.

Mitigation

——— Begin Update B ———-

According to reports and analysis, Stuxnet uses a total of five vulnerabilities; one previously patched (MS08-067) and four zero-days. Two of the four zero-day vulnerabilities have been patched since Stuxnet’s discovery.

The first zero-day was addressed in MS10-046b on August 24th, 2010. The second and most recent zeroday vulnerability was addressed in MS10-061c: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290), released on Sept 14th, 2010. According to Microsoft, “This vulnerability in the Print Spooler Service is rated Critical for Windows XP and Important on all other affected platforms and is used by Stuxnet to spread to systems inside the network where the Print Spooler
service is exposed without authentication.”

The other two vulnerabilities are local escalation of privilege vulnerabilities that enable an attacker to gain full control of an affected system. According to an MSRCd post, one the vulnerabilities affects Windows XP and the other affects Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. Microsoft is evaluating these vulnerabilities and will be releasing updates in future bulletins.

ICS-CERT recommends that control system owners and operators review system upgrades and consider applying available patches to mitigate the risks for Stuxnet infection. As with all system changes, administrators should consult their control systems vendor prior to making any system changes. On Sept 7th, Siemens also updated their support site to indicate that they were aware of 15 infections worldwide. According to Siemens, in none of the cases did the infection cause an adverse impact to the automation system.

———- End Update B ———-

Implementing security measures and properly cleaning an infected system will help to mitigate the effects of the malware and overall risk of a successful Stuxnet infection. The following sections provide guidance that can be used by owners and operators to prevent or identify and remove the Stuxnet malware.

Preventing Infection

Microsoft Windows Update

Microsoft Security Bulletin MS10-046Microsoft Security Bulletin, http://www.microsoft.com/technet/security/Bulletin/MS10-046.mspx, website last accessed August 24, 2010. addresses the vulnerability used by Stuxnet to infect a system from a USB drive. Organizations affected by Stuxnet and running Siemens WinCC or Step7 software should follow Siemens recommendationsSiemens Product Support, http://support.automation.siemens.com/WW/view/en/43876783, website last accessed August 23, 2010. for applying the Microsoft update.

Stuxnet malware also references a Microsoft vulnerability that was addressed in MS08-067Microsoft Security Bulletin, http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx, website last visited August 25, 2010. although it is not yet clear how this vulnerability is used. ICS-CERT recommends that control system owners and operators review system upgrades and consider applying this patch if it has not already been applied. As with all system changes, administrators should consult their control systems vendor prior to making any system changes.

USB Policy and Usage

Because USB drives, sometimes known as thumb drives, are small, readily available, inexpensive, and extremely portable, they are popular for storing and transporting files from one computer to another. This convenience also poses a security concern. Stuxnet and other malware take advantage of USB drives to propagate. Organizations are encouraged to review internal company policies and establish protective technical measures to disable USB drives. ICS-CERT recommends reviewing the Control Systems Analysis Report “USB Drives Commonly Used As an Attack Vector against Critical Infrastructure”  for additional information on removable media and best practices.

Identifying and Removing the Stuxnet Malware

The overall sophistication of the Stuxnet malware cannot be overstated. Because of this complexity, cleanup procedures will vary. Some infections will be simple, while others involving Siemens products may be significantly more complex. Below are mitigation recommendations for two different system types:

1. Systems running Siemens software
2. Standard systems that are not running Siemens software.

Control system owners and operators should exercise caution and consult their control systems vendor prior to making any changes or using antivirus software. In addition, proper impact analysis and testing should always be conducted prior to making any changes to control systems.

With this caveat in mind, if current antivirus software identifies a system as being infected with Stuxnet malware, the following guidelines will aid in malware mitigation.

Infection of Systems Running Siemens Software

If Siemens SIMATIC WinCC or STEP 7 software is running on an infected system, then Siemens Customer Support and ICS-CERT should be contacted. Siemens recommends installing the Microsoft Patch running the SysClean tool, and installing the SIMATIC Security Update. The details of Siemens procedure are listed on the Siemens Product Support website.

A Stuxnet infection can be complicated and involve many changes to the infected system and possibly to attached PLC hardware. Control system owners and operators should be aware that although SysClean does remove a number of files, remnant artifacts may be left on a system after cleaning. Remnants can include new files, modified files (including WinCC project files), registry changes, and new or modified database tables.

SysClean appears to stop the malware from infecting USB drives. However, because of the complexity of this malware, it is not yet understood if these remnants could pose future problems.

ICS-CERT recommends working closely with Siemens Customer Support to determine whether to completely rebuild a compromised system or to clean it through manual and/or automated means. ICS-CERT will also provide support to organizations requesting additional guidance or analysis including onsite support where appropriate. ICS-CERT is continuing to collaborate with Siemens on this malware.

Because Stuxnet specifically targets Siemens’ systems, it will behave very differently on standard systems than it does on systems running Siemens software. Current analysis indicates that cleanup of standard systems will be less complicated than on a system with Siemens’ software installed.

Overview

An asset owner recently notified the ICS-CERT that a vendor support contractor had added an administrative-level account during installation of new control systems software. The support contractor intended the account to be the default used to train their people for all future work on those systems. The addition of an administrative account to an ICS network with the password known by a contract company increases the cybersecurity risk to the asset owner.

This advisory highlights existing practices that may adversely impact the cybersecurity of industrial control systems (ICS) environments relative to malicious actors.

Impact

All control systems maintained by vendors, integrators, or other contractors can potentially be impacted by the practice of adding “back door” administrative accounts for future access to perform maintenance, updates, or training.

The impact to individual sites may vary, but the potential exists for an administrator-level username and password used by support personnel to be known to multiple individuals outside the owner’s organization and to be undocumented within the owner’s security policy framework. This essentially creates a backdoor into each system serviced by the support contractor and may not be recorded in the system’s configuration management process.

Background

Third-party support contractors cannot always predict the challenges they will encounter during on site service work. As a result, contract service organizations often train their field staff to create and use a specific account with administrator privileges. This allows them to access the system to troubleshoot and to install, uninstall, or patch software components as needed. Generally, the goal is to increase productivity and ease of maintenance; however, this access may circumvent the asset owner’s useraccount policies, contracting requirements, or user agreements.

Mitigation

The possibility exists that asset owners may not have been notified by their contractors of such practices and therefore, are advised to audit their systems for back door administrative accounts. Asset owners should also discuss procedures with their vendor or service organizations and voice their concerns for the security impacts of creating additional user accounts with administrative privileges. This includes, as needed, alternative practices and a pre-set understanding of the work that will be performed. The Department of Homeland Security (DHS) provides guidance in the document Cyber Security Procurement Language for Control Systems for developing cybersecurity-related contractual requirements for control system work.

Where it is not possible or practical to avoid creating an administrator account (some control system software versions may require this practice) the asset owner should work with the contractor or vendor service organization to reach agreement on how best to control the system’s cybersecurity risk profile. This should be formalized into a security level agreement that clearly defines the responsibilities of both parties and should be documented in the systems configuration management process.

Asset owners and vendor organizations should follow their established internal procedures if any suspected malicious activity is observed and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.

Overview

VirusBlokAda, an antivirus vendor based in Belarus, announcedVirusBlokAda, http://www.anti-virus.by/en/tempo.shtml, website last visited July 15, 2010. the discovery of malware that uses a zero-day vulnerability in Microsoft Windows processing of shortcut files. The malware utilizes this zero-day vulnerability and exploits systems after users open a USB drive with a file manager capable of displaying icons (like Windows Explorer). US-CERT has released a Vulnerability NoteVulnerability Note, http://www.kb.cert.org/vuls/id/940193, website last visited July 16, 2010. detailing the vulnerability and suggested workarounds. Microsoft has also released a Security Advisory (2286198)Microsoft Security Advisory, http://www.microsoft.com/technet/security/advisory/2286198.mspx, website last visited July 19, 2010. detailing the previously unknown vulnerability.

ICS-CERT has confirmed the malware installs a trojan that interacts with installed SIMATIC® WinCC or SIMATIC® Siemens STEP 7 software and then makes queries to any discovered SIMATIC® databases. The full capabilities of the malware and intent or results of the queries are not yet known.

ICS-CERT is coordinating with Siemens CERT, CERT/CC, Microsoft, and other groups both domestically

Affected Systems

Microsoft reports that the zero-day vulnerability affects the following versions of Windows:

• Windows XP Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista Service Pack 1 and Windows Vista Service Pack 2
• Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems
• Windows Server 2008 R2 for Itanium-based Systems

There are also unconfirmed reports that Windows 2000 and Windows XP SP2 are also susceptible to this zero-day vulnerability.

The malware also appears to interact with SIMATIC® WinCC or SIMATIC® Siemens STEP 7 software. Exact software versions and configurations that may be affected are still being analyzed jointly by ICS-CERT and Siemens CERT.

Impact

The actual impact to control environments is not yet known. ICS-CERT is currently evaluating the malware to determine the  potential affects that it could have on control system environments.

On July 18, 2010 proof-of-concept exploit code for the zero-day Windows vulnerability was publicly released.

Background

SIMATIC® WinCC HMI is a scalable process-visualization system for monitoring automated processes.

SIMATIC® STEP 7 is engineering software used in the programming and configuration of SIMATIC® programmable controllers.

These products are widely used in many critical infrastructure sectors.

Malware Characterization

Malware Details

The malware appears to launch when a USB storage device is viewed using a file manager such as Windows Explorer. Because the malware exploits a zero-day vulnerability in the way that Windows processes shortcut files, the malware is able to execute without using the AutoRun feature.

Shortcut files are Windows files that link easy-to-recognize icons to specific executable programs, and are typically placed on the user’s Desktop or Start Menu. A shortcut will not execute until a user clicks on its icon. While Microsoft’s advisory indicates user’s need to click an icon for the vulnerability to be executed, VirusBlokAda reports these malicious shortcut files are capable of executing automatically (without user interaction) if accessed by Windows Explorer.

This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.

Based on current reporting,VirusBlokAda, http://www.wilderssecurity.com/attachment.php?attachmentid=219888&d=1279012965, website last visited July 15, 2010. the malware drops and executes two driver files: mrxnet.sys and mrxcls.sys. The mrxnet.sys driver works as a file system filter driver, and mrxcls.sys is used to inject malicious code. These files are placed in the %SystemRoot%System32drivers directory. The drivers were signed with the apparent digital signature of Realtek Semiconductor Corporation. No warning is displayed in Windows when the drivers are installed, even though the certificate used to sign the files expired in June 2010. VeriSign has revoked the certificate used to sign the malware. The two drivers are used to inject code into system processes to hide themselves. Using this method, the malware files are not visible on an infected USB storage device.

Currently, some analysis has been performed and published on the Siemens-specific capabilities of the malware. ICS-CERT has confirmed that the database query strings do in fact reference WinCC database tables containing Input/Output tags. As more details become available and analysis is verified, ICS-CERT will publish updates to this advisory.

ICS-CERT has found indications the malware checks for the presence of antivirus software. ICS-CERT recommends that system owners who think they have been compromised perform a check to ensure any installed antivirus software is still active as the malware may disable the software.

Symantec has also performed some in-depth analysis of the Stuxnet malware files.Symantec, http://www.symantec.com/connect/blogs/distilling-w32stuxnet-components, last accessed July 22, 2010.  This information has not been independently verified by ICS-CERT but is included for reference.

Callback Domains/Command & Control

Independent analysis from multiple sourcesZscaler Research, http://research.zscaler.com/2010/07/lnk-cve-2010-2568-stuxnet-incident.html, last accessed July 22, 2010.^, Siemens Forum, http://www.automation.siemens.com/WW/forum/guests/PostShow.aspx?PageIndex=1&PostID=225893&Language=en last accessed July 22, 2010.^, CERT-In, http://www.cert-in.org.in/virus/Stuxnet_Rootkit.htm, last accessed July 22, 2010.^, TrendMicro, http://threatinfo.trendmicro.com/vinfo/web_attacks/Worm%20Propagates%20via%20Windows%20Shortcut%20Vulnerability%20Exploit.html, last accessed July22, 2010  has identified the following domains as command and control domains associated with the malware. ICS-CERT has not independently verified these findings, but calls to these domains may indicate a compromise.

• mypremierfutbol.com
• todaysfutbol.com

Additionally, some sources are reporting that HTTP requests with the following content may be indicative of a compromised host:

• “index.php?data=66a96e28”

Installed FilesVirusBlokAda, http://www.wilderssecurity.com/attachment.php?attachmentid=219888&d=1279012965, website last visited July 15, 2010.

C:WINDOWSsystem32driversmrxnet.sys
C:WINDOWSsystem32driversmrxcls.sys
C:WINDOWSinfoem7A.PNF
C:WINDOWSinfoem6C.PNF
C:WINDOWSinfmdmeric3.PNF
C:WINDOWSinfmdmcpq3.PNF

Mitigation

Microsoft’s Security Advisory (2286198)Microsoft Security Advisory, http://www.microsoft.com/technet/security/advisory/2286198.mspx, website last visited July 19, 2010.  provides workarounds to mitigate this previously unknown vulnerability being exploited by this malware:

• Disable the displaying of icons for shortcuts
• Disable the WebClient service

Microsoft has released an updated advisory that includes:

• Information on an additional attack vector identified through the use of PIF files, which are very similar to LNK shortcuts.
• Updated workarounds to reflect that the IconHandler also needs to be edited.
• A new Fix It tool, which allows administrators and users to more easily deploy the workaround.
• A workaround to block downloading of LNK and PIF files from the internet. These files cannot be renamed, but any blocking solution should take into account the WebDAV protocol, if the WebDAV client has not already been disabled;
• Clarification of some of the possible attack vectors, including the use of an embedded shortcut in an Office document, or the use of a web browser to browse malicious content.

Other suggested workarounds to help reduce the risks to this and other vulnerabilities include:

• Disable AutoRun as described in Microsoft Support article 967715.
• Implement the principle of least privilege as defined in the Microsoft TechNet Library.
• Maintain up-to-date antivirus software.

Siemens has also released an advisory to address questions surrounding this issue. Siemens has indicated that they have received one notification of an infection to an organization in Germany. The damage, if any, is unknown at this time.

——— Begin Update C – Part 1 of 2 ———-

Siemens indicates four customers have been infected worldwide with no impact to production.

———- End Update C – Part 1 of 2 ———-

Antivirus vendorsF-Secure, http://www.f-secure.com/weblog/archives/00001993.html, website last visited July 21, 2010.^, Jeremy Kirk, http://www.infoworld.com/d/security-central/second-variant-stuxnet-worm-strikes-944?source=rss_infoworld_news, website last visited July 21, 2010. have indicated the presence of a second Stuxnet variant. Most reports indicate the new rootkit driver is very similar to previously observed samples. The main difference noted has been the use of a certificate from JMicron Technology Corporation to digitally sign the driver.

Siemens Security Update

Siemens has released a Security Update: SIMATIC_Security_Update_20100722.exe, which is available on their support website.

According to Siemens, the SIMATIC update accomplishes the following:

• Modifies the registry settings according to Microsoft’s Security Advisoryk version 1.2.
• Adapts the SQL Server settings to the latest security settings. This step will make for stricter authentication controls.

Installing this SIMATIC update will replace all Siemens system icons with standard Windows icons. Siemens recommends meaningful names be assigned to desktop and Windows Start menu links so they may be easily recognized after the update.

Additionally, Siemens product support has provided a link to download a copy of Trend Micro System Cleaner (Sysclean) to assist users in detecting/cleaning infected systems.

Owners and operators should exercise caution however, and consult their control systems vendor prior to making any changes. Proper impact analysis and testing should always be conducted prior to making any changes to control systems. Siemens CERT has indicated that they are performing testing on the mitigations to determine their possible effects on control systems.

ICS-CERT reminds users to exercise caution when using USB drives. For more information on best practices and removable media, see the ICS-CERT Control Systems Analysis Report “USB Drives Commonly Used As An Attack Vector Against Critical Infrastructure.”

Malware samples have been provided to the antivirus vendor community. ICS-CERT recommends consulting your antivirus and control systems vendor before scanning systems with current antivirus software. The malware is identified by some anti-virus vendors as the following:

• Mcafee: Stuxnet
• Kaspersky: Trojan-Dropper.Win32.Stuxnet.a
• TrendMicro: WORM_STUXNET.A
• Sophos: Troj/Stuxnet-A
• Microsoft: TrojanDropper:Win32/Stuxnet.A
• Panda: Trj/CI.A
• DrWeb: Trojan.Stuxnet.1
• Ikarus: Trojan-Dropper.Win32.Stuxnet
• Norman: W32/Stuxnet.C
• F-Secure: Exploit:W32/WormLink.A

As details of the malware become better known, further mitigation recommendations will be published. Please report any issues affecting control systems in critical infrastructure environments to ICS-CERT.

Organizations should follow their established internal procedures if any suspected malicious activity is observed, and report their findings to ICS‐CERT for tracking and correlation against other incidents. ICS‐CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.

——— Begin Update C – Part 2 of 2 ———-

Microsoft has released an out-of-band security bulletin on Monday, August 2, 2010 to address the vulnerability used by the Stuxnet malware to infect systems.

The Microsoft bulletin addresses a security vulnerability that exists in all supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. ICS-CERT recommends that all control systems operations personnel work with their vendor to assess potential impacts before implementing this new fix. ICS-CERT also recommends coordinating with your vendor to determine if the operating system provided in your control systems installation is affected by this vulnerability and if a fix is available.

———- End Update C – Part 2 of 2 ———-

Overview

Cisco has identified multiple security vulnerabilitiesCisco, http://www.cisco.com/en/US/products/products_security_advisory09186a0080b2c518.shtml, website last visited May 27, 2010. in the Cisco Network Building Mediator (NBM) products. These vulnerabilities also affect the legacy Richards-Zeta Mediator products.

The following vulnerabilities have been identified: default credentials, privilege escalation, unauthorized information interception, and unauthorized information access.

Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device.

Affected Products

These vulnerabilities affect the legacy Richards-Zeta Mediator 2500 product and Cisco Network Building Mediator NBM-2400 and NBM-4800 models. All Mediator Framework software releases prior to 3.1.1 are affected by all vulnerabilities listed in this advisory.

Impact

Impact to individual organizations depends on many factors that are unique to each organization. ICS‑CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.

Background

Cisco Network Building Mediator collects data from sources that include the building, IT, energy supply, and energy demand systems, which use different protocols that are otherwise unable to communicate with one another. The Cisco Network Building Mediator normalizes the data into a common data representation. This ability enables the Cisco Network Building Mediator to perform any-to-any protocol translation and to provide information to the end user in a uniform presentation.

Vulnerability Characterization

Multiple distinct vulnerabilities are in the Cisco Network Building Mediator (NBM) products. These vulnerabilities also affect the legacy Richards-Zeta Mediator products.

Vulnerability Details

Default credentials are assigned for several predefined user accounts on the device including the administrative user account. Any user with network access to the device can log in as an administrator and take complete control over the vulnerable device.

This vulnerability can be exploited remotely with authentication and without end-user interaction. Successful exploitation of this vulnerability can result in an attacker taking complete control over the vulnerable device.

The attack vectors for exploitation are through packets using these protocols and ports:

• Secure Shell (SSH) using TCP port 22
• Hypertext Transfer Protocol (HTTP) using TCP port 80
• Hypertext Transfer Protocol Secure (HTTPS) using TCP port 443
• Extensible Markup Language Remote Procedure Call (XML-RPC) over HTTP using TCP port 81
• XML-RPC over HTTPS using TCP port 443.

This vulnerability has been assigned CVE identifier CVE-2010-0595.

Vulnerabilities in this category enable unauthorized users to read and modify device configuration. A malicious user must authenticate as an existing user but does not need to have administrator privileges or know administrator credentials to modify device configuration. Both vulnerabilities can be exploited over either transport protocol (HTTP or HTTPS).

These vulnerabilities can be exploited remotely with authentication and without end-user interaction. Successful exploitation of these vulnerabilities can result in the attacker reading and modifying the device configuration or result in a denial of service (DoS) condition as the attacker can reload the vulnerable device. Repeated attempts that successfully exploit the vulnerability that can be used to reload the vulnerable device could result in a sustained DoS condition.

The attack vectors for exploitation are through packets using these protocols and ports:

• HTTP using TCP port 80
• HTTPS using TCP port 443
• XML-RPC over HTTP using TCP port 81
• XML-RPC over HTTPS using TCP port 443.

These vulnerabilities have been assigned CVE identifiers CVE-2010-0596 and CVE-2010-0597.

These vulnerabilities reflect the fact that sessions between an operator workstation and the Cisco Network Building Mediator are not protected against unauthorized interception. A malicious user able to intercept the sessions could learn any credentials used during intercepted sessions (for administrators and non-administrators alike) and could subsequently take full control of the device.

These vulnerabilities can be exploited remotely without authentication and without end-user interaction. Successful exploitation of these vulnerabilities allows information disclosure, which enables an attacker to learn information about the affected device.

The attack vectors for exploitation are through packets using these protocols and ports:

• HTTP using TCP port 80
• XML-RPC over HTTP using TCP port 81

These vulnerabilities have been assigned CVE identifiers CVE-2010-0598 and CVE-2010-0599.

A malicious user could read one of the system configuration files. This configuration file contains user accounts details, including passwords. Authentication is not required to read this configuration file, and an attacker could perform this attack over either XML RPC or XML RPC over HTTPS protocol.

This vulnerability can be exploited remotely without authentication and without end-user interaction. Successful exploitation of this vulnerability allows information disclosure, which enables an attacker to learn information about the affected device.

The attack vectors for exploitation are through packets using these protocols and ports:

• XML-RPC over HTTP using TCP port 81
• XML-RPC over HTTPS using TCP port 443.

This vulnerability has been assigned CVE identifier CVE-2010-0600.

Additional information about vulnerable, unaffected, and fixed software is available in the PSIRT Security Advisory available at http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml.

Mitigation

Cisco has provided information on vulnerability workarounds; they have also released free software updates that address these vulnerabilitiesCisco, http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml, website last visited May 27, 2010..

Workarounds

Default Credentials

Administrator’s credentials can be changed using the procedure as described in Cisco Network Building Mediator User GuideCisco, http://www.cisco.com/en/US/docs/security/physical_security/cnbm/3.x/User/Guide/Mediator_User_Guide.pdf, website last visited May 27, 2010.. Details of the procedure are given in section 2-10, Recovering the Cisco Network Building Mediator Password.

Privilege Escalation

There are no workarounds for these vulnerabilities.

Unauthorized Information Interception

The following workaround is applicable only to the vulnerability related to HTTP protocol. There is no workaround for the vulnerability that affects XML RPC service.

The workaround for this vulnerability is to disable HTTP service and use HTTPS instead. The HTTPS service is enabled and running by default and no further actions are needed to enable it. The HTTP service can be disabled with configTOOL. The configTOOL is the software running on the operator workstation and is used to configure the Multi-Protocol Exchange of the Cisco Network Building Mediator.

After applying this workaround to software releases 1.5.1 and 2.2, configTOOL version 3.1.0b1 is required to continue configuring Cisco Network Building Mediator via configTOOL.

To start configTOOL, double-click the Cisco Network Building Mediator configTOOL shortcut icon on the desktop, or choose Start > All Programs > Network Building Mediator configTOOL. Connect to a Cisco Network Building Mediator using the procedure as described in Cisco Network Building Mediator User GuideCisco, http://www.cisco.com/en/US/docs/security/physical_security/cnbm/3.x/User/Guide/Mediator_User_Guide.pdf, website last visited May 27, 2010. at, section 3-2 Connecting to the Cisco Network Building Mediator Using configTOOL. Inside the Node tree pane, expand the services tab, and then expand tab the network tab. Click the http_server tab, and then click the Enabled to uncheck it.

Unauthorized Information Access

There is no workaround for this vulnerability.

Limiting Access Using IP Tables

The following protection measure can reduce risk from unauthorized access to the Cisco Network Building Mediator and minimize the risks associated with the vulnerabilities described in this advisory. This mitigation is not effective against unauthorized information interception vulnerabilities as exploitation of these vulnerabilities do not depend on accessing the device itself, but on intercepting session between an operator console and the Cisco Network Building Mediator.

Administrators are advised to be selective when choosing the devices that are allowed to establish connections to the Cisco Network Building Mediator. The following rules will allow only legitimate operator console(s) to establish sessions to the Cisco Network Building Mediator. To execute following commands you must have administrator privileges on the Cisco Network Building Mediator. In the following examples, it is assumed that the operator console has IP address 192.0.2.1. The 192.0.2.1 address must be changed to match the IP address used by the designated operator console.

The following code must be entered on the console. Please refer to Section 2.4 in the user guideCisco, http://www.cisco.com/en/US/docs/security/physical_security/cnbm/3.x/User/Guide/Mediator_User_Guide.pdf, website last visited May 27, 2010. for information on how to connect to the serial port using hyper-terminal.

Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco’s worldwide website at http://www.cisco.com.

Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.

Customers Without Service Contracts

Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.

• +1 800 553 2447 (toll free from within North America)
• +1 408 526 7209 (toll call from anywhere in the world)
• e-mail: [email protected]

Customers should have their product serial number available and be prepared to give the URL of the Cisco AdvisoryCisco, http://www.cisco.com/en/US/products/products_security_advisory09186a0080b2c518.shtml, website last visited May 27, 2010. as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.

Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages.

Reporting

Organizations that detect suspicious activity related to this advisory are encouraged to report to ICS-CERT for follow-on mitigation recommendations as well as tracking and correlation. Where appropriate, ICS-CERT is able to provide additional analytical capabilities to include onsite incident response and recovery of systems.

Organizations should follow their established internal procedures for responding to suspected incidents. Proper impact analysis and risk assessment should be performed prior to taking defensive measures.

Overview

A security researcher has identified two vulnerabilities affecting the Wind River Systems’ VxWorks platform. The vulnerabilities are a debug service enabled by default (VU#362332) and a weak hashing algorithm used in authentication (VU#840249). ICS-CERT has been coordinating with CERT/CC in alerting control systems vendors of these vulnerabilities. ICS-CERT will continue to coordinate and publish updates as needed.

Affected Products

VxWorks is a real-time operating system that can be used in embedded systems, including control system components. Because this vulnerability is embedded in other products, the actual list of affected products is large, and not completely known

Not all products using VxWorks are vulnerable. ICS-CERT recommends that end users contact their vendors to determine if their products are affected by these vulnerabilities. CERT/CC has a partial list of vendors in the Vulnerability Notes referenced above.

Impact

Access to the debug service could result in information disclosure or denial-of-service attacks against the affected device. Complete control of the device may be possible.

The authentication vulnerability could allow an attacker to guess the password and gain unauthorized access to the device.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their environment, architecture, and product implementation.

Background

VxWorks is a trademark of Wind River Systems. VxWorks has been used in more than 500 million deployed devices,http://www.windriver.com/products/vxworks, website last accessed July 29, 2010. ranging from aerospace and defense applications to networking and consumer electronics, robotics and industrial applications, precision medical instruments, and car navigation and telematics systems.http://www.windriver.com/products/product-overviews/PO_VE_3_8_Platform_1209.pdf

Vulnerability Characterization

Vulnerability Overview

The following two vulnerabilities have been identified:

1. Debug Service Enabled by Default – Some products based on VxWorks ship with the debug service enabled on UDP port 17185. This service provides read and write access to the device’s memory and allows functions to be called. An attacker could use this service to fully compromise the device.

   The overall Common Vulnerability Scoring System (CVSS) severity scorehttp://nvd.nist.gov/cvss.cfm?calculator&version=2 for this vulnerability is 8.6 (high). The following link provides a calculator for viewing details of the score: http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:W/RC:C)

2. Weak Hashing Algorithm – The standard VxWorks authentication API uses a weak password hashing algorithm. This algorithm produces a small set of outputs for a large set of inputs, resulting in multiple strings having the same hash, otherwise known as collisions. An attacker could brute force the password in a relatively short period of time by guessing a string that produces the same hash as the legitimate password.

   The overall CVSS severity score for this vulnerability is 7.7 (high). The following link provides a calculator for viewing details of the score: http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:W/RC:C)

Vulnerability Details

Exploitability

The enabled debug service allows full access to the memory of the device to an unauthenticated remote user. A memory dump would likely reveal passwords and configuration information. An attacker could use write access to perform denial-of-service attacks, and if familiar with the device, could gain complete control.

Exploiting the vulnerability in the authentication API would require the following:

• The default API must be the authentication method used
• The attacker would first need a valid username
• The attacker would need access to a service using the API such as rlogin, Telnet or FTP

Existence of Exploit

Proof-of-concept code is expected to be made public by the researcher. However, at the time of this writing, no known exploits exist in the field specifically targeting these vulnerabilities.

Difficulty

Accessing the debug service would be trivial unless blocked by a firewall. An attacker may need to be familiar with the device to control it by writing to memory; however, a memory dump would not be difficult.

Brute forcing a password is not difficult, and software tools exist to automate the process. Exploiting the authentication API vulnerability is made easier by the fact that no account lockout is implemented by default. Users are not disconnected for too many incorrect login attempts.

Mitigation

The mitigations differ for vendors utilizing VxWorks in their products, and the end-users of these products.

Vendors Using VxWorks

Vendors using VxWorks in their products should disable the debug agent for production systems. The VxWorks Kernel Programmer’s 6.8 Guide recommends that only those components needed for deployed operation be enabled. Components required for host development support such as the debug agent and debugging components should be removed.

Vendors should not use the standard default authentication API (loginDefaultEncrypt()) in their VxWorks products. Other encryption routines can be implemented by using the loginEncryptInstall() routine in the VxWorks loginLib library. Contact Wind River Supporthttp://www.windriver.com/support/ or refer to Vulnerability Note VU#840249Vulnerability Note, http://www.kb.cert.org/vuls/id/840249. for instructions. A trusted authentication API should be chosen to replace the standard default.

Users of Products with Embedded VxWorks

End users should restrict access to debug port 17185/udp with appropriate firewall rules. It is good security practice to block all ports not explicitly needed for operation. This is referred to as a “default deny” policy.

Users should restrict access to any service that uses the standard default authentication (e.g., rlogin, Telnet, FTP) with appropriate firewall rules. If possible, such services should be disabled if not needed. Intrusion detection/prevention systems can be used to detect brute force attacks (password guessing) against such services.

The Control System Security Program also provides a recommended practices section or control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations should follow their established internal procedures if any suspected malicious activity is observed and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.

OVERVIEW

A buffer overflow vulnerability exists in the Rockwell Automation RSLinx Classic EDS Hardware Installation Tool (RSHWare.exe). This vulnerability is likely exploitable; however, significant user interaction would be required.

AFFECTED PRODUCTS

EDS Hardware Installation Tool Version 1.0.5.1 and earlier.

IMPACT

The CVSS impact subscore for this vulnerability, as calculated by ICS-CERT, is high (10) because successfully exploiting this vulnerability would allow an attacker to run arbitrary code on the target machine. However, the exploitability subscore is low (3.2) because of the difficulty of exploiting this vulnerability.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.

BACKGROUND

Rockwell Automation provides industrial automation control and information products worldwide across a wide range of industries.
RSLinx provides connectivity to plant floor devices for Rockwell software applications. To register a device on the network, product specific information must be supplied via an Electronic Data Sheet (EDS) file. The RSLinx Hardware Installation Tool parses the EDS file containing the hardware’s specifications.

VULNERABILITY CHARACATERIZATION

VULNERABILITY OVERVIEW

VULNERABILITY DETAILS

Common Vulnerability Scoring System (CVSS) Score

Overall CVSS Score: 6.2

• CVSS Base Score: 6.9
  • Impact Subscore: 10
  • Exploitability Subscore: 3.4
• CVSS Temporal Score: 6.2
• CVSS Environmental Score: Organization Defined

Shorthand CVSS Scoring Notation: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:U/RC:C

EXPLOITABILITY

This vulnerability is likely exploitable; however, it is not possible without user interaction. An attacker cannot initiate the exploit from a remote machine. The exploit is only triggered when a local user runs the vulnerable application and loads the malformed EDS file.

EXISTENCE OF EXPLOIT

There are currently no known exploits specifically targeting this vulnerability.

DIFFICULTY

Crafting a working exploit for this vulnerability would be difficult. Social engineering is required to convince the user to accept the malformed EDS file. Additional user interaction is needed to load the malformed file. This decreases the likelihood of a successful exploit.

MITIGATION

Rockwell Automation recommends customers take the following steps to mitigate risk associated with this vulnerability:

1. Restrict physical access to the computer
2. Establish policies and procedures such that only authorized individuals have administrative rights on the computer
3. Obtain product EDS files from trusted sources (e.g., product vendor).

Rockwell Automation will modify the EDS Hardware Installation Tool to properly handle EDS files and will release the modified version as a patch by May 2010. This modified version will be included in all future releases of RSLinx Classic starting with Version 2.57.

*** BEGIN UPDATE A ***

Rockwell Automation has issued a software patch for the EDS Hardware Installation Tool that addresses this buffer overflow vulnerability. When applied, the patch replaces the RSEds.dll file with the modified Version 4.0.1.157. Future releases of RSLinx Classic, starting with Version 2.57, will include this modified version of the RSEds.dll.

Rockwell has also updated Technote 67272 to include instructions for how to obtain and apply the patch.

*** END UPDATE A ***

In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

1. Do not click web links or open unsolicited attachments in e-mail messages
2. Refer to Recognizing and Avoiding Email Scams for more information on avoiding e-mail scams.
3. Refer to Avoiding Social Engineering and Phishing Attacks  for more information on social engineering attacks.

The Control System Security Program also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Overview

A cross-site scriptinghttp://www.owasp.org/index.php/Cross-siteScripting(XSS) vulnerability exists in the system used by the ABB Electrical Distribution Management System (DMS) product netCADOPS to generate online Help.

Affected Products

All releases of the ABB netCADOPS product.

The ABB Network Manager DMS client products ORMap and OMI are not affected by this problem, because this vulnerability is related solely to netCADOPS web-based online Help. Further, no other ABB SCADA products, including, but not limited to, MicroSCADA Pro, RANGER, Network Manager NM-R, and 800xA are affected by this vulnerability.

Impact

At this time, ICS-CERT has not independently verified the vulnerability or update to determine the condition details and potential impact to organizations. ICS-CERT is providing this notice to make organizations aware of the vulnerability and patch release from ABB. ICS-CERT recommends that organizations contact ABB for additional details to evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.

Background

ABB is a power and automation technology company. The ABB DMS is used by electric utilities to manage their distribution level infrastructure.

Mitigation

ABB recommends removing the netCADOPS Help files from the netCADOPS web server installation directory.
A new Help system that resolves the vulnerability is included in the NM DMS 3.4.7.5.201002160 patch release. Contact your ABB Network Management software maintenance services representative or Doug Wall ([email protected]) for further instructions.

The Control System Security Program also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.