ICS-CERT Security Update

DataHub Security Enhancement Implemented

On September 13, 2011, the Industrial Control Systems Cyber Emergency Response Team of the U.S. Department of Homeland Security (ICS-CERT) notified Cogent that version 7 of the Cogent DataHub was vulnerable to denial of service, information leaks, and possible remote code execution by remote hackers. The report recommended that users of the Cogent DataHub minimize network exposure to control system devices, locate control systems behind firewalls, and if remote access is required, to use secure methods such as VPNs.

In response to this report, Cogent's development team has located, fixed, and tested for the vulnerabilities in question, incoporating the fixes in a new release of the Cogent DataHub, version 7.1.2, now available for download.

Cogent encourages users of the Cogent DataHub to download and install version 7.1.2 of the Cogent DataHub where possible. Users of the OPC DataHub or Cascade DataHub should contact Cogent to download v6.4.20. Users who cannot upgrade should implement the following guidelines to minimize network exposure of their control systems.

There are two classes of vulnerability:

TCP ports 4502/4503 (applies only to Cogent DataHub v7). These are the tunnel/mirror ports. If you are not using these ports, turn them off in the Tunnel/Mirror properties of the DataHub. If you are using these ports, the vulnerability cannot be exploited as long as you require authentication on all TCP connections. To do so, in the Security properties of the DataHub you should remove all permissions for the special UserNames "TCP" and "Mirror", create a group for users who are authorized, and allow "BasicConnectivity" for that group. The DataHub will then refuse all commands from unauthenticated TCP connections, and still allow authenticated users to connect.

Web server, typically port 80 (applies to Cogent DataHub v7, as well as OPC DataHub and Cascade DataHub v6). If you are not using the DataHub Web Server, turn it off in the Web Server properties. If you are using the DataHub Web Server and exposing it to the Internet, you can configure user and password authentication in the DataHub Web Server. This will force all web browser connections to the Web Server to authenticate. This will be less convenient for your users, and may slow down page loading, but will block attackers from exploiting any of the listed vulnerabilities.

In both cases, if you are not intending for people to connect to the DataHub from the Internet, block ports 4502, 4503, 80 and 943 at your firewall, and only allow connections on these ports from within your local area network.

In summary, if you cannot upgrade, all of these exploits can be blocked by security configuration in the DataHub, and further protected against through firewall configuration. If you are running any version of the DataHub in an untrusted environment, you should upgrade to Cogent DataHub v7.1.2, or OPC DataHub v6.4.20 or Cascade DataHub v6.4.20.