Cogent created an update that mitigates the multiple remotely exploitable vulnerabilities in its Real-Time Systems DataHub application, according to a report on ICS-CERT.
Cogent Real-Time Systems reports these vulnerabilities, discovered by Dillon Beresford of Cimation, affect the following versions:
• Cogent DataHub Version 7.2.2 and earlier,
• OPC DataHub Version 6.4.21 and earlier,
• Cascade DataHub for Windows Version 6.4.21 and earlier,
• DataSim and DataPid demonstration clients for Cogent DataHub V7.2.2,
• DataSim and DataPid demonstration clients for OPC DataHub and Cascade DataHub V6.4.21, and
• DataHub QuickTrend Version 7.2.2 and earlier.
If exploited, these vulnerabilities could cause the affected programs to terminate, causing a denial of service (DoS). Other exploitations of these vulnerabilities may also allow an attacker to alter the program stack or allow the attacker to execute arbitrary code in the context of the applications.
Cogent Real-Time Systems, Inc. is a Canadian-based company that produces middleware applications used to interface with control systems.
Cogent’s products deploy across several sectors including manufacturing, building automation, chemical, banking and finance, electric utilities, and others. These products see use worldwide, primarily in the United States and Great Britain.
The DataHub application accepts formatted text commands via a TCP connection on Ports 4502/TCP and 4503/TCP. These commands end up parsed, validated, and executed within the application. The parser contains an error where malformed input will cause the parser to perform a reference through a NULL pointer, causing the application to crash.
CVE-2013-0681 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.
The DataHub application contains a built-in Web server that will accept HTTP requests via Port 80/TCP. An attacker could send an HTTP request with an unusually long header parameter, causing a stack buffer overflow within the Web server. Typically, this will lead to an application crash, causing a DoS. In theory, a carefully constructed header could overwrite the stack in a predictable way, leading to arbitrary code execution.
CVE-2013-0680 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.5.
The DataSim and DataPid programs connect to the DataHub via a TCP connection. Information and commands end up exchanged via formatted text messages over this connection. If the user connects DataSim or DataPid to a server other than the DataHub, and this server could generate random or malformed messages, then DataSim and DataPid could crash.
In order to exploit this scenario, an attacker would need to induce the user to connect DataSim and DataPid to a server other than the DataHub. By doing that, it would mean the data produced by DataPid and DataSim would not be a part of the production system and no data would go to the DataHub. Subsequently, causing DataSim and DataPid to crash would produce no further negative effect on the system. Consequently, this crash scenario does not constitute a DoS.
DataSim and DataPid do not see use in production systems and do not pose a risk.
CVE-2013-0683 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
The DataHub application accepts formatted text commands via a TCP connection. These commands end up parsed, validated, and executed within the application. When the parser gets random data, it may access memory beyond the end of an allocated heap buffer, causing a crash. It may also access memory beyond the end of a stack buffer, providing an opportunity for a carefully crafted message to modify the stack to allow code execution.
CVE-2013-0682 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.5.
While no known public exploits specifically target these vulnerabilities, an attacker with a low skill would be able to exploit these vulnerabilities. It would require a more skilled attacker to execute arbitrary code.
Cogent recommends the following mitigation strategies:
• Turn off Ports 4502/TCP and 4503/TCP if they are not in use. The user can do this in the Tunnel/Mirror properties of the DataHub.
• If the user does not require access to the application from the Internet, block Ports 4502/TCP and 4503/TCP at your firewall, and only allow connections on these ports from within your local area network.
• If the DataHub Web server is not in use, turn it off in the Web server properties.
• If access to DataHub from the Internet is not required, block Port 80/TCP at your firewall, and only allow connections on this port from within your local area network.
• Upgrade to one of these fixed applications:
1. DataHub QuickTrend Version 7.3.0
2. Cogent DataHub Version 7.3.0
3. OPC DataHub Version 6.4.22
4. Cascade DataHub for Windows Version 6.4.22