Maxim
Rupp
If you are interested in exploring a commercial partnership or want to collaborate, contact me.

contact@rupp.it (PGP/MIME: 0x8D961353/MIT PGP Key Server. S/MIME: .crt)
rupp@cure53.de (PGP/MIME: 0x61552424/MIT PGP Key Server)
@mmrupp

The most considerable part of the found issues are under NDA and can not be disclosed.
Some of the public work and research made in spare time includes, but are not limited to:


Publications

PHOENIX CONTACT FL COM SERVER RS485: Lack of proper ACL (Full Disclosure) and Improper Neutralization (CVE-2017-16723)
Onanimationcancel handler based XSS for FF>=54.0
Security Advisory: Vulnerabilities in RUGGEDCOM ROX I / Siemens RX1000; PDF
Security Advisory: Honeywell XL Web II Controller Vulnerabilities; PDF


This section focuses on public security advisories for ICS/SCADA and BMS environments.
A complete list of public advisories can be found here. Set out below is an extract from this list.

Recent public ICS-CERT Advisories

Individual pages: Moxa

Ice Qube Thermal Management Center
CVE-2017-14026 (CWE-284: Improper Access Control)
CVE-2017-16714 (CWE-256: Unprotected Storage of Credentials)

BeaconMedaes TotalAlert Scroll Medical Air Systems
CVE-2018-7526 (CWE-284: Improper Access Control)
CVE-2018-7518 (CWE-522: Insufficiently Protected Credentials)
CVE-2018-7510 (CWE-256: Unprotected Storage of Credentials)

ABB IP Gateway
CVE-2017-7931 (CWE-287: Improper Authentication)
CVE-2017-7906 (CWE-352: Cross-Site Request Forgery)
CVE-2017-7933 (CWE-256: Unprotected Storage of Credentials)

PHOENIX CONTACT FL COMSERVER, FL COM SERVER, and PSI-MODEM/ETH
CVE-2017-16723 (CWE-79: Improper Neutralization of Input During Web Page Generation)

ProMinent MultiFLEX M10a Controller
CVE-2017-14013 (CWE-602: Client-Side Enforcement of Server-Side Security)
CVE-2017-14007 (CWE-613: Insufficient Session Expiration)
CVE-2017-14011 (CWE-352: Cross-Site Request Forgery)
CVE-2017-14009 (CWE-200: Information Exposure)
CVE-2017-14005 (CWE-620: Unverified Password Change)

LAVA Computer MFG Inc. Ether-Serial Link
CVE-2017-14003 (CWE-290: Authentication Bypass by Spoofing)

Siemens 7KT PAC1200 Data Manager
CVE-2017-9944 (CWE-288: Authentication Bypass Using an Alternate Path or Channel)

Ctek, Inc. SkyRouter
CVE-2017-14000 (CWE-287: Improper Authentication)

Siemens LOGO!
CVE-2017-12734 (CWE-522: Insufficiently Protected Credentials)

ABB VSN300 WiFi Logger Card
CVE-2017-7920 (CWE-287: Improper Authentication)
CVE-2017-7916 (CWE-264: Permissions, Privileges, and Access Controls)

Newport XPS-Cx, XPS-Qx
CVE-2017-7919 (CWE-287: Improper Authentication)

Moxa (OnCell)
CVE-2017-7915 (CWE-307: Improper Restriction of Excessive Authentication Attempts)
CVE-2017-7913 (CWE-256: Plaintext Storage of a Password)
CVE-2017-7917 (CWE-352: Cross-Site Request Forgery)
and more.


Public Security Advisories from Vendors

Echelon: ESA-20180823-01 i.LON 600 Authentication Bypass

・ω・