XZERES Fixes Wind Turbine Hole

Monday, June 8, 2015 @ 12:06 PM gHale

XZERES created a patch to mitigate a cross-site request forgery (CSRF) vulnerability in its 442SR turbine generator operating system (OS), according to a report on ICS-CERT.

The 442SR Wind Turbine suffers from the remotely exploitable issue, discovered by Independent researcher Maxim Rupp.

Moxa Fixes Buffer Overflow Hole
Beckwith Fixes TCP Initial Sequence Hole
IDS Creates New Module to Fix Hole
Rockwell Fixes RSView32 Vulnerability

Successful exploitation of this vulnerability allows the ID to end up retrieved from the browser and allows the attacker to change the default ID. This exploit can cause a loss of power for all attached systems.

Wilsonville, OR-based XZERES maintains offices in several countries around the world, including the UK, Italy, Japan, Caribbean, Vietnam, Philippines, and Myanmar.

The affected product, 442SR Wind Turbine, has a web-based interface system. According to XZERES, the 442SR sees action across the energy sector. XZERES estimates this product sees use worldwide.

The 442SR OS recognizes the POST and GET methods for data input. By using the GET method, an attacker may retrieve the ID from the browser and will allow the default user ID to end up changed. The default user has admin rights to the entire system.

CVE-2015-3950 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.

No known public exploits specifically target this vulnerability. Crafting a working exploit for this vulnerability would be easy. There is no public exploit for this exact vulnerability. However, code exists online that can easily end up modified to initiate a CSRF with this vulnerability.

XZERES developed a manually deployable patch that mitigates this vulnerability.

Contact XZERES Service Team at 877-404-9438 (option 4) for instructions and support implementing the patch.