A remote vulnerability has been discovered in the operating system of wind turbines of the major U.S.-based manufacturer XZERES. It can be exploited to gain full administrative access to single wind turbines and clusters of them.
Like almost everything nowadays, even a wind turbine apparently has to come with a shiny web interface to manage it. It is nothing new that especially these are often the weak spot that can play a major role in an exploitation process.
Exactly this happened with the 442SR model of the U.S.-based manufacturer XZERES. According to them, this model of wind turbines is deployed all over the world. The web interface that came with the 442SRs makes it possible to read and change the administrative user details through a bug in the operating system.
According to the corresponding Security Advisory, the OS recognizes both HTTP POST and HTTP GET requests as data input. This allows an attacker to retrieve the username and password through a GET request to the web interface. The default user has administrative permissions to the whole system, which would allow the attacker further exploitation or infection of the system and to for example power off the wind turbines.
XZERES released a patch to fix the vulnerability, shortly after the independent security researcher Maxim Rupp discovered it. He already proposed the patch to mitigate the vulnerability. XZERES further advises affected companies to calculate the impact this vulnerability could have on their operational environment and to contact them for instructions on how to deploy the patch.
It is alarming that such sensitive systems are not being throughly tested for vulnerabilities, especially such obvious ones. These vulnerabilities cannot only be exploited by the Chinese Cyber Army, but by anyone with a bit of determination.
This case shows how crucial it is to never ever allow public network access to sensitive systems. They should always be kept isolated in a VPN, which has to be dedicated to only a specific kind/part of systems and that only few people have access to via a key/password combination, which should be changed on a regular basis. This helps to keep potentially vulnerable (read: all) systems safe from remote attackers and can minimize the damage if a VPN should ever get compromised. Keep in mind that a system is only considered secure until someone proves otherwise.