This afternoon DHS ICS-CERT published an advisory
for an unsecure credential vulnerability in the RLE International GmbH
Nova-Wind Turbine HMI. The vulnerability was reported by Maxim Rupp. ICS-CERT
advises that RLE has been unresponsive in validating or addressing the alleged
vulnerability.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit the vulnerability to access the device and make changes to the
configuration without authentication.
ICS-CERT has apparently completely given up on RLE. Instead
of the standard generic mitigation measures that they typically apply to almost
every advisory ICS-CERT simply reports that:
“ICS-CERT has attempted on multiple
occasions to contact the vendor regarding this serious flaw and have according
to our vulnerability disclosure policy now produced this advisory. Insecure
credential vulnerabilities create a serious risk to asset owners. ICS-CERT strongly
recommends ensuring that the impacted product is not connected to the Internet
or any network as this vulnerability is remotely exploitable.”
That is probably as close as ICS-CERT can come to saying .junk
it for your own protection’.
Posts
No comments:
Post a Comment