Wind Turbine Vulnerability Patched

Tuesday, December 8, 2015 @ 06:12 PM gHale

XZERES created a patch to mitigate a cross-site scripting vulnerability in its 442SR turbine generator operating system (OS), according to a report on ICS-CERT.

This vulnerability, discovered by independent researcher Karn Ganeshen, is remotely exploitable.

LOYTEC Fixes Router Vulnerability
Holes Filled in Advantech ICS Gateways
SearchBlox Fixes File Exfiltration Issue
Honeywell Fixes Gas Detector Holes

The 442SR Wind Turbine suffers from the issue.

Successful exploitation of this vulnerability allows the ID to end up retrieved from the browser and could allow an attacker to change the default ID. This exploit can cause a loss of power for all attached systems.

XZERES is a U.S.-based energy company that maintains offices in several countries around the world, including the UK, Italy, Japan, Vietnam, Philippines, and Myanmar.

The affected product, 442SR Wind Turbine, has a web-based interface system. According to XZERES, the 442SR sees use across the energy sector. XZERES estimates this product sees use worldwide.

The 442SR OS recognizes the POST and GET methods for data input. By using the GET method, an attacker may retrieve the ID from the browser and will allow the default user ID to change. The default user has admin rights to the entire system.

CVE-2015-0985 is the case number been assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

No known public exploits specifically target this vulnerability. Crafting a working exploit for this vulnerability would be easy. There is no public exploit for this exact vulnerability; however, code exists online that can be easily modified to initiate an XSS with this vulnerability.

XZERES has developed a manually deployable patch that mitigates this vulnerability.

Contact the XZERES Service Team for instructions and support implementing the patch.