Saturday, November 2, 2013

ICS-CERT Publishes Nordex Alert

Earlier this week DHS ICS-CERT published a control system alert for the wind turbine generator SCADA/HMI produced by Nordex. The cross-site scripting vulnerability was publicly disclosed by Darius Freamon on his blog (The Darius Freamon Blog, he is more creative in his cyber-vulnerability research than in his blog naming).

ICS-CERT does identify Darius as the source of this vulnerability report but only provides a link to his disclosure through OSVDB not his blog. To be fair though, you have to be something of a control system geek to see the actual vulnerability from the Darius blog post whereas the OSVDB listing makes it much clearer:

“Nordex NC2 Wind Farm Portal contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'userName' parameter upon submission to the /login script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.”

An interesting thing that neither ICS-CERT or OSVDB noted in their write-ups about this vulnerability is that it was discovered via SHODAN. It appears that Darius is a prolific user of SHODAN to search for vulnerabilities. Most commentators have focused on the use of this search engine for finding internet facing control systems, Darius has been using it to find system vulnerabilities, particularly default credentials.

Darius has been looking mostly at servers and communications devices, but I expect that we will be hearing more from him about control systems.

1 comment:

Jake Brodsky said...

Although wind farms show up with depressing frequency on Shodan, they're hardly the only things out there.

The SHINE project has accumulated ridiculous numbers of hits of various controls systems ranging from building automation systems, to Mining truck maintenance systems, small water and electric utilities, a crematorium, and quite a few other things besides.

Unfortunately, most of this data is very difficult to deal with. We can do a reverse IP address lookup, and usually all we get is an ISP address. We usually have no idea who manages these assets and we have no easy way to determine who they are without disclosing a toxic level of raw IP addresses ready to be attacked. So we keep it quiet for now.

Jake Brodsky

/* Use this with templates/template-twocol.html */