Dillon Beresford of Cimation has identified four vulnerabilities in the Cogent Real-Time Systems DataHub application. Cogent has produced an update that mitigates these vulnerabilities. These vulnerabilities could be exploited remotely.
Cogent Real-Time Systems reports that these vulnerabilities affect the following versions:
Successful exploitation of these vulnerabilities will cause the affected programs to terminate, causing a denial of service (DoS). Other exploitations of these vulnerabilities may also allow an attacker to alter the program stack or allow the attacker to execute arbitrary code in the context of the applications.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
Cogent Real-Time Systems, Inc. is a Canadian-based company that produces middleware applications that are used to interface with control systems.
Cogent’s products are deployed across several sectors including manufacturing, building automation, chemical, banking and finance, electric utilities, and others. These products are used worldwide, primarily in the United States and Great Britain.
The DataHub application accepts formatted text commands via a TCP connection on Ports 4502/ TCP and 4503/TCP. These commands are parsed, validated, and executed within the application. The parser contains an error where malformed input will cause the parser to perform a reference through a NULL pointer, causing the application to crash.
The DataHub application contains a built-in Web server that will accept HTTP requests via Ports 80/TCP and 443/TCP. An attacker could send an HTTP request with an unusually long header parameter, causing a stack buffer overflow within the Web server. Typically, this will lead to an application crash, causing a DoS. In theory, a carefully constructed header could be used to overwrite the stack in a predictable way, leading to arbitrary code execution.
The DataSim and DataPid programs connect to the DataHub via a TCP connection. Information and commands are exchanged via formatted text messages over this connection. If the user connects DataSim or DataPid to a server other than the DataHub, and this server is designed to generate random or malformed messages, then DataSim and DataPid could crash.
In order to exploit this scenario, an attacker would need to induce the user to connect DataSim and DataPid to a server other than the DataHub. The simple act of inducing this connection would mean that the data produced by DataPid and DataSim would not be connected to the production system and no data would be delivered to the DataHub. Subsequently, causing DataSim and DataPid to crash would produce no further negative effect on the system.
DataSim and DataPid are not used in production systems and do not pose a risk.
The DataHub application accepts formatted text commands via a TCP connection. These commands are parsed, validated, and executed within the application. When the parser is sent random data, it may access memory beyond the end of an allocated heap buffer, causing a crash. It may also access memory beyond the end of a stack buffer, providing an opportunity for a carefully crafted message to modify the stack to allow code execution.
These vulnerabilities could be exploited remotely.
No known public exploits specifically target these vulnerabilities.
An attacker with a low skill would be able to exploit these vulnerabilities. It would require a more skilled attacker to execute arbitrary code.
Cogent recommends the following mitigation strategies:
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT Web page. Several recommended practices are available for reading and download, including_ Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies_. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B—Targeted Cyber Intrusion Detection and Mitigation Strategies.
For any questions related to this report, please contact the CISA at:
Toll Free: 1-888-282-0870
For industrial control systems cybersecurity information: https://www.us-cert.gov/ics
or incident reporting: https://www.us-cert.gov/report
CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.
This product is provided subject to this Notification and this Privacy & Use policy.
Was this document helpful? Yes | Somewhat | No