This afternoon DHS ICS-CERT published an advisory for an unsecure credential vulnerability in the RLE International GmbH Nova-Wind Turbine HMI. The vulnerability was reported by Maxim Rupp. ICS-CERT advises that RLE has been unresponsive in validating or addressing the alleged vulnerability.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to access the device and make changes to the configuration without authentication.
ICS-CERT has apparently completely given up on RLE. Instead of the standard generic mitigation measures that they typically apply to almost every advisory ICS-CERT simply reports that:
“ICS-CERT has attempted on multiple occasions to contact the vendor regarding this serious flaw and have according to our vulnerability disclosure policy now produced this advisory. Insecure credential vulnerabilities create a serious risk to asset owners. ICS-CERT strongly recommends ensuring that the impacted product is not connected to the Internet or any network as this vulnerability is remotely exploitable.”
That is probably as close as ICS-CERT can come to saying .junk it for your own protection’.