Jump to content
Aerosol

Wind turbine blown away by control system vulnerability

Recommended Posts

Posted

It had to happen, we suppose: since even a utility-grade wind turbine might ship with a handy Webby control interface, someone was bound to do it badly.

That's what's emerged in a new ICS-CERT advisory: CVE-2015-0985 details how turbines from US manufacturer XZERES allow the user name and password to be retrieved from the company's 442 SR turbine.

As the advisory notes, “This exploit can cause a loss of power for all attached systems”.

The turbine in question is, according to the company, “deployed across the energy sector” worldwide. It's part of a range of smaller-scale turbines from XZERES.

The bug itself is basic: “The 442SR OS recognises both the POST and GET methods for data input,” the advisory states. “By using the GET method, an attacker may retrieve the username password from the browser and will allow the default user password to be changed. The default user has admin rights to the entire system.”

Further, the bug is a cinch to exploit: “Crafting a working exploit for this vulnerability would be easy. There is no public exploit for this exact vulnerability. However, code exists online that can be easily modified to initiate a CSRF with this vulnerability.”

As always, users of the wind turbine are advised to keep the kit behind firewalls and only allow remote access over a VPN.

XZERES has issued a manual patch for the vulnerability.

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...