Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

       RLE Nova-Wind Turbine HMI Unsecure Credentials Vulnerability
                               17 June 2015


        AusCERT Security Bulletin Summary

Product:           RLE Nova-Wind Turbine HMI
Publisher:         US-CERT
Operating System:  Network Appliance
Impact/Access:     Administrator Compromise -- Remote/Unauthenticated
Resolution:        Mitigation
CVE Names:         CVE-2015-3951  

Original Bulletin: 

Revision History:  June 17 2015: Revised as alert and summary added
                   June 17 2015: Updated impact and vulnerability overview 
                   June 15 2015: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSA-15-162-01A)

RLE Nova-Wind Turbine HMI Unsecure Credentials Vulnerability (Update A)

Original release date: June 11, 2015 | Last revised: June 15, 2015

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security 
(DHS) does not provide any warranties of any kind regarding any information 
contained within. DHS does not endorse any commercial product or service, 
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For 
more information about TLP, see http://www.us-cert.gov/tlp/.


This updated advisory is a follow-up to the original advisory titled 
ICSA-15-162-01 RLE Nova-Wind Turbine HMI Unsecure Credentials Vulnerability 
that was published June 11, 2015, on the NCCIC/ICS-CERT web site.

Independent researcher Maxim Rupp has identified an unsecure credential 
vulnerability in the RLE International GmbH Nova-Wind Turbine HMI. RLE has 
been unresponsive in validating or addressing the alleged vulnerability. 
ICS-CERT is releasing this advisory to warn and protect critical asset owners
of this serious issue.

This vulnerability could be exploited remotely.


The following RLE International GmbH product is affected:

Nova-Wind Turbine HMI


- --------- Begin Update A Part 1 of 2 --------

Plain text credentials can be used to gain unauthorized access to the device.
This means that a malicious party could perform any action on the device 
including change or modify configurations and settings.

- --------- End Update A Part 1 of 2 ----------

Impact to individual organizations depends on many factors that are unique to
each organization. ICS-CERT recommends that organizations evaluate the impact
of this vulnerability based on their operational environment, architecture, 
and product implementation


RLE International GmbH is a Germany-based company that maintains offices in 
several countries around the world, including the US, UK, Sweden, and India.

The affected product, Nova-Wind Turbine HMI, is a human-machine interface 
(HMI) for a wind turbine. This product is used in the Energy Sector.



- --------- Begin Update A Part 2 of 2 --------


The Nova-Wind Turbine HMI stores credentials in a plaintext file. If a 
malicious user recovers this file, then they could use the credentials to 
authenticate with the HMI and make changes to the configuration.

- --------- End Update A Part 2 of 2 ----------

CVE-2015-3951[b] has been assigned to this vulnerability. A CVSS v2 base score 
of 10.0 has been assigned; the CVSS vector string is 



This vulnerability could be exploited remotely.


No known public exploits specifically target this vulnerability.


An attacker with a low skill would be able to exploit this vulnerability.


ICS-CERT has attempted on multiple occasions to contact the vendor regarding 
this serious flaw and have according to our vulnerability disclosure policy 
now produced this advisory. Insecure credential vulnerabilities create a 
serious risk to asset owners. ICS-CERT strongly recommends ensuring that the 
impacted product is not connected to the Internet or any network as this 
vulnerability is remotely exploitable.

a. CWE-256: Plaintext Storage of a Password, 
http://cwe.mitre.org/data/definitions/256.html, web site last accessed June 
11, 2015.

b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3951, web 
site last accessed June 15, 2015.

c. CVSS Calculator, 
http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C, web
site last accessed June 11, 2015.

Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: ics-cert@hq.dhs.gov

Toll Free: 1-877-776-7585

International Callers: (208) 526-0900

For industrial control systems security information and incident reporting: 

ICS-CERT continuously strives to improve its products and services. You can 
help by choosing one of the links below to provide feedback about this 

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967