-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2015.1550.3
       RLE Nova-Wind Turbine HMI Unsecure Credentials Vulnerability
                               17 June 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           RLE Nova-Wind Turbine HMI
Publisher:         US-CERT
Operating System:  Network Appliance
Impact/Access:     Administrator Compromise -- Remote/Unauthenticated
Resolution:        Mitigation
CVE Names:         CVE-2015-3951  

Original Bulletin: 
   https://ics-cert.us-cert.gov/advisories/ICSA-15-162-01A

Revision History:  June 17 2015: Revised as alert and summary added
                   June 17 2015: Updated impact and vulnerability overview 
				 details
                   June 15 2015: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSA-15-162-01A)

RLE Nova-Wind Turbine HMI Unsecure Credentials Vulnerability (Update A)

Original release date: June 11, 2015 | Last revised: June 15, 2015

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security 
(DHS) does not provide any warranties of any kind regarding any information 
contained within. DHS does not endorse any commercial product or service, 
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For 
more information about TLP, see http://www.us-cert.gov/tlp/.

OVERVIEW

This updated advisory is a follow-up to the original advisory titled 
ICSA-15-162-01 RLE Nova-Wind Turbine HMI Unsecure Credentials Vulnerability 
that was published June 11, 2015, on the NCCIC/ICS-CERT web site.

Independent researcher Maxim Rupp has identified an unsecure credential 
vulnerability in the RLE International GmbH Nova-Wind Turbine HMI. RLE has 
been unresponsive in validating or addressing the alleged vulnerability. 
ICS-CERT is releasing this advisory to warn and protect critical asset owners
of this serious issue.

This vulnerability could be exploited remotely.

AFFECTED PRODUCTS

The following RLE International GmbH product is affected:

Nova-Wind Turbine HMI

IMPACT

- --------- Begin Update A Part 1 of 2 --------

Plain text credentials can be used to gain unauthorized access to the device.
This means that a malicious party could perform any action on the device 
including change or modify configurations and settings.

- --------- End Update A Part 1 of 2 ----------

Impact to individual organizations depends on many factors that are unique to
each organization. ICS-CERT recommends that organizations evaluate the impact
of this vulnerability based on their operational environment, architecture, 
and product implementation

BACKGROUND

RLE International GmbH is a Germany-based company that maintains offices in 
several countries around the world, including the US, UK, Sweden, and India.

The affected product, Nova-Wind Turbine HMI, is a human-machine interface 
(HMI) for a wind turbine. This product is used in the Energy Sector.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

- --------- Begin Update A Part 2 of 2 --------

PLAINTEXT STORAGE OF A PASSWORD[a]

The Nova-Wind Turbine HMI stores credentials in a plaintext file. If a 
malicious user recovers this file, then they could use the credentials to 
authenticate with the HMI and make changes to the configuration.

- --------- End Update A Part 2 of 2 ----------

CVE-2015-3951[b] has been assigned to this vulnerability. A CVSS v2 base score 
of 10.0 has been assigned; the CVSS vector string is 
(AV:N/AC:L/Au:N/C:C/I:C/A:C).[c]

VULNERABILITY DETAILS

EXPLOITABILITY

This vulnerability could be exploited remotely.

EXISTENCE OF EXPLOIT

No known public exploits specifically target this vulnerability.

DIFFICULTY

An attacker with a low skill would be able to exploit this vulnerability.

MITIGATION

ICS-CERT has attempted on multiple occasions to contact the vendor regarding 
this serious flaw and have according to our vulnerability disclosure policy 
now produced this advisory. Insecure credential vulnerabilities create a 
serious risk to asset owners. ICS-CERT strongly recommends ensuring that the 
impacted product is not connected to the Internet or any network as this 
vulnerability is remotely exploitable.

a. CWE-256: Plaintext Storage of a Password, 
http://cwe.mitre.org/data/definitions/256.html, web site last accessed June 
11, 2015.

b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3951, web 
site last accessed June 15, 2015.

c. CVSS Calculator, 
http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C, web
site last accessed June 11, 2015.

Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: ics-cert@hq.dhs.gov

Toll Free: 1-877-776-7585

International Callers: (208) 526-0900

For industrial control systems security information and incident reporting: 
http://ics-cert.us-cert.gov

ICS-CERT continuously strives to improve its products and services. You can 
help by choosing one of the links below to provide feedback about this 
product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVYDSZ36ZAP0PgtI9AQLV2RAAuGzpg/2d1k/BFphPGD3xb3GxCU5N6xH7
M1ap8o3ONwDNViDbjvfAxSS+U5mZF+CyLQL0/eifvlzp3qm2SYxeIr+VeJWfctK7
OyqTVdcUU68Cyw4gcO6e+IiHCVe/wXVe1+mYUi/+dzioRFaEoFFwUxWgX6SkAVSR
IhfIs6qneeOT+DW7oXLnWbbjMH0a+HihKW6cSRrVobEwfc/pY2RTMaZ4hPpBZAOK
v2zhzdXN8546hiTmWa/njOeScBQZesQiEAotHu7DTDYb1VKSEnvBosHdZRAYaIj5
tWqtUU4D6+V7MEKH/qluVKDF9dP2jPaJpcrYhCFZYs7GawRjTi8gJywEQMsdk3vY
HxZDsnOli9KonILcNmXV2qMHrJHpohqz3AKrclTEs1oKxBlK9FEauxIh6DZxZMHe
lf9NfcWWnv+MRIPdkwTdgtzzBRZWpjK1P42LR03Ig3xTUrv7NbSjkXjGNvFx6GHH
Zlv+htkOakMaHjINa3O7PhRzkO9uEi6bgjDwVExKTsPxFgxehbtX2bkxH+lFFOV0
CCEKgAxDAp6kn+Xz4ldqT2AjttTYFdgtKIpjBd8uAZwvUBoWuJx4nVDRCNBLMwpL
dSBoSN3Zd5PdXahX9mM3Qu2y4RvjPvTx+KhGcK7bbN6QjUy9WE8fuKqYoMzm+UhT
c8i9+ZHUpb4=
=rzGz
-----END PGP SIGNATURE-----