A week after disclosing a cross-site request forgery vulnerability in small wind turbines manufactured by a company called XZERES, a security researcher has discovered a serious bug in the human-machine interface for turbines made by German company RLE International GmbH.
Researcher Maxim Rupp discovered the vulnerability in the Nova-Wind Turbine HMI and reported it to the vendor. However, the vendor has been unresponsive and ICS-CERT issued an advisory about the vulnerability in order to warn users.
The vulnerability results from the fact that the software stores user credentials in plaintext, making the turbines attractive targets for attackers. If an attacker gains access to the credentials, he would be able to perform any action he chose on the device.
“Independent researcher Maxim Rupp has identified an unsecure credential vulnerability in the RLE International GmbH Nova-Wind Turbine HMI. RLE has been unresponsive in validating or addressing the alleged vulnerability. ICS-CERT is releasing this advisory to warn and protect critical asset owners of this serious issue,” the advisory says.
The vulnerability is remotely exploitable and the advisory says an attacker with low-level skills would be able to exploit it. ICS-CERT has tried to contact the vendor, but without any success.
“ICS-CERT has attempted on multiple occasions to contact the vendor regarding this serious flaw and have according to our vulnerability disclosure policy now produced this advisory. Insecure credential vulnerabilities create a serious risk to asset owners. ICS-CERT strongly recommends ensuring that the impacted product is not connected to the Internet or any network as this vulnerability is remotely exploitable,” the advisory says.
Last week, Rupp reported a CSRF vulnerability in the XZERES 442SR wind turbine, a small-scale device. The vulnerability isn’t as easily exploitable as the plaintext credential bug in the Nova-Wind Turbine, but it’s a serious flaw nonetheless.
“Successful exploitation of this vulnerability allows the ID to be retrieved from the browser and will allow the default ID to be changed. This exploit can cause a loss of power for all attached systems,” an advisory from ICS-CERT says.