Sign of the times - not really Industrial Security really is Bad!

Advisory (ICSA-15-342-01A)
XZERES 442SR Wind Turbine Cross-site Scripting Vulnerability (Update A)
Original release date: December 08, 2015 | Last revised: December 10, 2015

OVERVIEW
This updated advisory is a follow-up to the original advisory titled ICSA-15-342-01 XZERES 442SR Wind Turbine Cross-site Scripting Vulnerability that was published December 8, 2015, on the NCCIC/ICS-CERT web site.

Independent researcher Karn Ganeshen has identified a cross-site scripting vulnerability in XZERES’s 442SR turbine generator operating system (OS). XZERES has produced a patch to mitigate this vulnerability.

This vulnerability could be exploited remotely.

AFFECTED PRODUCTS
The following XZERES product is affected:
•442SR Wind Turbine.

IMPACT
--------- Begin Update A Part 1 of 2 --------
Successful exploitation of this vulnerability could allow the injection of malicious script.
--------- End Update A Part 1 of 2 ----------
This exploit can cause a loss of power for all attached systems.

for more about this exploit see XZERES 442SR Wind Turbine Cross-site Scripting Vulnerability (Update C) | CISA

I’m betting most folks here didn’t even know there was a Industrial Control Systems Cyber Emergency Response Team for Industrial Hacks but there are lots of these here:

Alerts

Advisories

As a x-security dude/hacker there used to be an unwritten rule about hacking industrial or infrastructure as there was no honor or skillz required in hacking something that was so pathetic as far as security was concerned, but now that hacking has gone from old school hackers (who now seem like almost honorable good guys) to criminal organizations, terrorist groups, government agencies etc, there are no such rules anymore, so heads up kids your device could be the next potential CERT advisory.

3 Likes