Nordex Fixes Wind Farm SCADA App

Wednesday, October 14, 2015 @ 02:10 PM gHale

Nordex created an update to mitigate a cross-site scripting vulnerability in its NC2 Wind Farm Portal application, according to a report on ICS-CERT.

The Nordex Control 2 (NC2) SCADA V16 and prior versions suffer from the remotely exploitable vulnerability, discovered by Independent researcher Karn Ganeshen.

Omron Fixes Multiple Vulnerabilities
Pump Infusion System Holes Mended
Mitsubishi Fixes Controller DoS
Remedy to Fix Unsupported PKS Hole

Cross-site scripting presents one entry point for attackers to access and manipulate control systems networks. It takes advantage of web servers that return dynamically generated web pages. Cross-site scripting also allows users to post viewable content in order to execute arbitrary HTML and active content such as JavaScript, ActiveX, and VBScript on a remote machine browsing the site within the context of a client-server session.

This can potentially allow an attacker to redirect the web page to a malicious location, hijack the client-server session, engage in network reconnaissance, and plant backdoor programs.

Nordex is a company based in Germany that maintains offices in countries around the world.

The affected product, Nordex Control 2, is a web-based SCADA system for wind power plants. NC2 see action across the energy sector and the company said this product sees use primarily in the United States, Europe, and China.

Cross-site scripting allows a malicious party to alter the pages presented by a web server such that other client browsers could be redirected to another page or download malicious script.

CVE-2015-6477 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.

No known public exploits specifically target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.

Nordex has to do the patching of the NC2-SCADA system. Nordex will upgrade all wind farms with a valid service contract to the patched version of the NC2-SCADA in coordination with normal maintenance operations.

Owners of Nordex NC2-based wind farms without a valid service contract can order the patch from Nordex by contacting their local Nordex service organization.