Exploits that target a cross-site scripting vulnerability in the Nordex Control 2 (NC2) application are publicly available.
Independent researcher Darius Freamon identified and released proof-of-concept (exploit) code without coordination with ICS-CERT, the vendor, or any other coordinating entity known to ICS-CERT for the remotely exploitable vulnerability.
Nordex Control 2 (NC2) SCADA V16 and prior versions suffer from the issue.
The reflected cross-site scripting attack may allow an attacker to execute arbitrary script code in the user’s browser within the trust relationship between their browser and the server.
Nordex is a company based in Germany that maintains offices in several countries around the world, including the United States, Germany, Sweden, Netherlands, France, Austria, Spain, China, Italy, and the United Kingdom.
The affected product, Nordex Control 2, is a web-based SCADA system for wind power plants. According to Nordex, NC2 works across the energy sector. Nordex said this product sees action mainly in the United States, Europe, and China.
The NC2 Wind Farm Portal contains a flaw that allows a reflected cross-site scripting attack. This flaw exists because the application does not validate the “username” parameter upon submission to the login script.
CVE-2014-5408 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.
An attacker with a low skill would be able to exploit this vulnerability.
Nordex will release a patch for all affected NC2-SCADA versions at the end of this year. Nordex has to do the patching of the NC2-SCADA system.
Nordex will upgrade all wind farms with a valid service contract to the patched version of the NC2-SCADA in coordination with normal maintenance operations.
Owners of Nordex NC2-based wind farms without a valid service contract can order the patch from Nordex by contacting their local Nordex service organization.