XZERES Fixes Wind Turbine Vulnerability

Wednesday, March 18, 2015 @ 02:03 PM gHale

XZERES created a patch that mitigates a cross-site request forgery (CSRF) vulnerability in its 442SR turbine generator operating system (OS), according to a report on ICS-CERT.

This vulnerability, discovered by independent researcher Maxim Rupp, is remotely exploitable. XZERES’ 442SR Wind Turbine suffers from the issue.

Schneider Mitigates Buffer Overflow
Cimon Fixes DLL Hijacking Vulnerability
ABB Updates HART Device DTM
SCADA Engine Fixes OPC Server Holes

Successful exploitation of this vulnerability allows the username password to end up retrieved from the browser and will allow the default user password to change. This exploit can cause a loss of power for all attached systems.

XZERES is a Wilsonville, OR-based energy company that maintains offices in several countries around the world, including the U.S., UK, Italy, Japan, Caribbean, Vietnam, Philippines, and Myanmar.

The affected product, 442SR Wind Turbine, has a web-based interface system. According to XZERES, the 442SR works across the energy sector. The product sees use worldwide.

The 442SR OS recognizes the POST and GET methods for data input. By using the GET method, an attacker may retrieve the username password from the browser and will allow the attacker to change the default user password. The default user has admin rights to the entire system.

CVE-2015-0985 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.

No known public exploits specifically target this vulnerability. Crafting a working exploit for this vulnerability would be easy. There is no public exploit for this exact vulnerability. However, code exists online that can easily end up modified to initiate a CSRF with this vulnerability.

XZERES has developed a manually deployable patch that mitigates this vulnerability. Contact XZERES Service Team for instructions and support implementing the patch.

Leave a Reply

You must be logged in to post a comment.