Cogent DataHub XSS and CRLF

Overview

ICS-CERT is aware of a public report of multiple vulnerabilities in Cogent’s DataHub application. These vulnerabilities include cross-site scripting and an HTTP header injection vulnerability, also known as a carriage return line feed. According to the report, Cogent Real-Times Systems Inc. has produced a patch that resolves these vulnerabilities.

Kuang-Chun Hung of Security Research and Service Institute - Information and Communication Security Technology Center (ICST), Taiwan R.O.C. reported these vulnerabilities to JPCERT/CC.

Affected Products

According to the report, the following products are affected:

• Cogent DataHub Version 7.1.2 and earlier
• OPC DataHub Version 6.4.20 and earlier
• Cascade DataHub Version 6.4.20 and earlier.

Impact

Successful exploitation of these vulnerabilities could result in one or more of the following:

• An arbitrary script being executed on the user's web browser
• Forged information may be displayed on the user's web browser
• An HTTP response splitting attack may be conducted.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

Background

Cogent Real-Time Systems Inc. is a Canadian-based company that produces middleware applications that are used to interface with control systems.

According to Cogent, DataHub is deployed across several sectors including manufacturing, building automation, chemical, banking and finance, electric utilities, and others. Cogent estimates these products are used primarily in the United States and Great Britain.

Vulnerability Characterization

Vulnerability Overview

Cross-Site Scripting

A cross-site scripting vulnerability exists in the Cogent DataHub application because it lacks server-side validation of query string parameter values. Attacks that exploit these vulnerabilities require that a user visit a specially crafted URL, which injects client-side scripts into the server’s HTTP response to the client.

CVE-2012-0309 has been assigned to this vulnerability. A CVSS V2 base score of 4.3 has also been assigned.

HTTP Header Injection Vulnerability

An HTTP header injection vulnerability (also known as carriage return line feed) exists in the Cogent DataHub application as the product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

CVE-2012-0310 has been assigned to this vulnerability. A CVSS V2 base score of 4.3 has also been assigned.

Vulnerability Details

Exploitability

This vulnerability is remotely exploitable but may social engineering.

Existence of Exploit

No known exploits specifically target this vulnerability.

Difficulty

An attacker with a low to moderate skill level could exploit these vulnerabilities.

Mitigation

According to the report, Cogent Real-Time Systems In. has produced a patch for these vulnerabilities that can be obtained by accessing the Cogent website located here: http://www.cogentdatahub.com/Contact_Form.html and filling out the required information.

ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.

• Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

1. Do not click web links or open unsolicited attachments in e-mail messages.
2. Refer to Recognizing and Avoiding Email Scams for more information on social engineering attacks.
3. Refer to Avoiding Social Engineering and Phishing Attacks for more information on avoiding e-mail scams.