Saturday, September 17, 2016

Public ICS Vulnerability Disclosure – 09-10-16

This week there was one public disclosure of an industrial control system on the Full Disclosure mailing list. Karn Ganeshen reported a number of vulnerabilities in the BINOM3 Electric Power Quality Meter. Karn reports submitting a vulnerability notification to ICS-CERT on May 25th, 2016, noting that there has been no reply from the Russian vendor to date.

The reported vulnerabilities include:

• Reflected cross-site scripting;
• Stored cross-site scripting;
• Weak credentials;
• Undocumented root account;
• Sensitive information stored in clear text;
• Vulnerable to cross-site request forgery;
• Sensitive data leakage; and
• Access control issues

With their 45-day non-response disclosure policy it seems odd that ICS-CERT has not issued an advisory on this vulnerability.

No comments:

/* Use this with templates/template-twocol.html */