ICS-CERT Publishes Nordex Alert

Earlier this week DHS ICS-CERT published a control system alert for the wind turbine generator SCADA/HMI produced by Nordex. The cross-site scripting vulnerability was publicly disclosed by Darius Freamon on his blog (The Darius Freamon Blog, he is more creative in his cyber-vulnerability research than in his blog naming).

ICS-CERT does identify Darius as the source of this vulnerability report but only provides a link to his disclosure through OSVDB not his blog. To be fair though, you have to be something of a control system geek to see the actual vulnerability from the Darius blog post whereas the OSVDB listing makes it much clearer:

“Nordex NC2 Wind Farm Portal contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'userName' parameter upon submission to the /login script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.”

An interesting thing that neither ICS-CERT or OSVDB noted in their write-ups about this vulnerability is that it was discovered via SHODAN. It appears that Darius is a prolific user of SHODAN to search for vulnerabilities. Most commentators have focused on the use of this search engine for finding internet facing control systems, Darius has been using it to find system vulnerabilities, particularly default credentials.

Darius has been looking mostly at servers and communications devices, but I expect that we will be hearing more from him about control systems.