This week there was one public disclosure of an industrial
control system on the Full
Disclosure mailing list. Karn Ganeshen reported a number of vulnerabilities
in the BINOM3 Electric Power
Quality Meter. Karn reports submitting a vulnerability notification to
ICS-CERT on May 25th, 2016, noting that there has been no reply from
the Russian vendor to date.
The reported vulnerabilities include:
• Reflected cross-site scripting;
• Stored cross-site scripting;
• Weak credentials;
• Undocumented root account;
• Sensitive information stored in
clear text;
• Vulnerable to cross-site request
forgery;
• Sensitive data leakage; and
• Access control issues
With their 45-day non-response disclosure
policy it seems odd that ICS-CERT has not issued an advisory on this
vulnerability.
Posts
No comments:
Post a Comment