It had to happen, we suppose: since even a utility-grade wind turbine might ship with a handy Webby control interface, someone was bound to do it badly.
That's what's emerged in a new ICS-CERT advisory: CVE-2015-0985 details how turbines from US manufacturer XZERES allow the user name and password to be retrieved from the company's 442 SR turbine.
As the advisory notes, “This exploit can cause a loss of power for all attached systems”.
The turbine in question is, according to the company, “deployed across the energy sector” worldwide. It's part of a range of smaller-scale turbines from XZERES.
The bug itself is basic: “The 442SR OS recognises both the POST and GET methods for data input,” the advisory states. “By using the GET method, an attacker may retrieve the username password from the browser and will allow the default user password to be changed. The default user has admin rights to the entire system.”
Further, the bug is a cinch to exploit: “Crafting a working exploit for this vulnerability would be easy. There is no public exploit for this exact vulnerability. However, code exists online that can be easily modified to initiate a CSRF with this vulnerability.”
As always, users of the wind turbine are advised to keep the kit behind firewalls and only allow remote access over a VPN.
XZERES has issued a manual patch for the vulnerability. ®