Hello.


Please feel free to get in touch with me if you have questions or need more information.
You can contact me on Twitter (@mmrupp) or by e-mail (contact@rupp.it / rupp@cure53.de).


Use one of the following keys when discussing confidential information:

User ID: contact@rupp.it; Key ID: 0x8D961353; TXT, MIT PGP Key Server
Fingerprint: CCEF 7BF2 19D0 2D97 40F3 5F9F 2970 13B3 8D96 1353

User ID: rupp@cure53.de; Key ID: 0x61552424; TXT, MIT PGP Key Server
Fingerprint: 6040 9340 9A93 3223 4166 8C74 8D5D 7176 6155 2424


The largest part of the found issues are under NDA and can not be disclosed. Also some of the found issues will not be disclosed to the public from my side due to ethical reasons.
Below you can find some part of public research made in spare time and notes.

Notes: Onanimationcancel handler based XSS for FF>=54.0
Security Advisory: Vulnerabilities in RUGGEDCOM ROX I / Siemens RX1000; PDF
Security Advisory: Honeywell XL Web II Controller Vulnerabilities; PDF

A more complete list of public advisories can be found here. Set out below is an extract from this list.

Recent public ICS-CERT Advisories

These public security advisories are focus on ICS/SCADA and BMS devices and technologies.
Individual pages: Moxa

PHOENIX CONTACT FL COMSERVER, FL COM SERVER, and PSI-MODEM/ETH
CVE-2017-16723 (CWE-79: Improper Neutralization of Input During Web Page Generation)


ProMinent MultiFLEX M10a Controller
CVE-2017-14013 (CWE-602: Client-Side Enforcement of Server-Side Security)
CVE-2017-14007 (CWE-613: Insufficient Session Expiration)
CVE-2017-14011 (CWE-352: Cross-Site Request Forgery)
CVE-2017-14009 (CWE-200: Information Exposure)
CVE-2017-14005 (CWE-620: Unverified Password Change)


LAVA Computer MFG Inc. Ether-Serial Link
CVE-2017-14003 (CWE-290: Authentication Bypass by Spoofing)


Siemens 7KT PAC1200 Data Manager
CVE-2017-9944 (CWE-288: Authentication Bypass Using an Alternate Path or Channel)


Ctek, Inc. SkyRouter
CVE-2017-14000 (CWE-287: Improper Authentication)


Siemens LOGO!
CVE-2017-12734 (CWE-522: Insufficiently Protected Credentials)


ABB VSN300 WiFi Logger Card
CVE-2017-7920 (CWE-287: Improper Authentication)
CVE-2017-7916 (CWE-264: Permissions, Privileges, and Access Controls)


Newport XPS-Cx, XPS-Qx
CVE-2017-7919 (CWE-287: Improper Authentication)


Moxa OnCell
CVE-2017-7915 (CWE-307: Improper Restriction of Excessive Authentication Attempts)
CVE-2017-7913 (CWE-256: Plaintext Storage of a Password)
CVE-2017-7917 (CWE-352: Cross-Site Request Forgery)


Detcon SiteWatch Gateway
CVE-2017-6049 (CWE-287: Improper Authentication)
CVE-2017-6047 (CWE-256: Plaintext Storage of a Password)


Advantech B+B SmartWorx MESR901
CVE-2017-7909 (CWE-603: Use of Client-Side Authentication)


See more ...

Recent public CERT Advisories

Chiyu Technology fingerprint access control contains multiple vulnerabilities
CVE-2015-2870 (CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page)
CVE-2015-2871 (CWE-288: Authentication Bypass Using an Alternate Path or Channel )


Honeywell Tuxedo Touch Controller contains multiple vulnerabilities
CVE-2015-2847 (CWE-603: Use of Client-Side Authentication)
CVE-2015-2848 (CWE-352: Cross-Site Request Forgery)



Best regards.
Last updated: December 2017