This week there was one public disclosure of an industrial control system on the Full Disclosure mailing list. Karn Ganeshen reported a number of vulnerabilities in the BINOM3 Electric Power Quality Meter. Karn reports submitting a vulnerability notification to ICS-CERT on May 25th, 2016, noting that there has been no reply from the Russian vendor to date.
The reported vulnerabilities include:
• Reflected cross-site scripting;
• Stored cross-site scripting;
• Weak credentials;
• Undocumented root account;
• Sensitive information stored in clear text;
• Vulnerable to cross-site request forgery;
• Sensitive data leakage; and
• Access control issues
With their 45-day non-response disclosure policy it seems odd that ICS-CERT has not issued an advisory on this vulnerability.