US government uncovers possible security flaw in Nordex software

UNITED STATES: A potential vulnerability with the Nordex Control 2 application has been flagged up by a security team with the US Department of Homeland Security.

The problem has been uncovered by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the USA's National Cybersecurity & Communications Integration Center (NCCIC) Homeland Security.

NCCIC/ICS-CERT stated 31 October 2013 that "it is aware of a public report of a Cross-Site Scripting vulnerability affecting the Nordex Control 2 (NC2) application".

In effect, this means the application software does not require that every single incoming message is checked for identification code and password. The loophole could allow users of the web application or others to access and alter the web content with malicious intent.

The report NCCIC/ICS-CERT that passed on was by then third hand. Independent researcher Darius Freamon had originally published his findings on his blog and was reported on OSVDB, an open-source vulnerability database website, on 18 October 2013, the NCCIC/ICS-CERT report said.

The Nordex brochure titled "Control 2 cockpit for wind power plants", published in August 2008, describes the web application as providing "interactive access" to all of the principle operating modes and data concerning all aspects of the wind turbines and the wind parks.

The OSVDB report said the vulnerability "may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server."

Questioned by Windpower Monthly, Nordex said it was investigating the claims but was unable to comment further.