Cogent Code Injection Vulnerability
Thursday, September 3, 2015 @ 06:09 PM gHale
A patch released Wednesday to mitigate a code injection vulnerability affecting Cogent Real-Time Systems, Inc.’s DataHub application, according to a report on ICS-CERT.
An anonymous security researcher reported this remotely exploitable vulnerability to HP’s Zero Day Initiative (ZDI). Cogent DataHub, Version 7.3.8 and earlier suffers from the issue.
Successful exploitation of this vulnerability could allow an attacker to turn on an insecure processing mode in the web server, which subsequently allows the attacker to send arbitrary script commands to the server. These script commands can result in remote code execution, denial of service, and information disclosure.
Cogent is a Canadian-based company that produces middleware applications used to interface with control systems.
The Cogent DataHub product is a real-time middleware solution and works across several sectors including chemical, commercial facilities, critical manufacturing, energy and financial services. These products see use on a global basis, but primarily in the United States and Great Britain.
If an attacker sends a request to any Gamma script file that uses a certain class, it can then turn on an insecure processing mode in the web server. The specific flaw exists because of an insecure processing mode in the ajax pseudo-URL handler within the Cogent DataHub web server.
CVE-2014-3789 is the case number assigned to this vulnerability, which ZDI calculated a CVSS v2 base score of 7.5.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
Cogent has fixed this vulnerability in Version 7.3.9 of DataHub. This is a free upgrade for any customer running V7.x. Cogent advises that customers running versions prior to Version 7.3.9 do one of the following:
• Upgrade to Cogent DataHub Version 7.3.9
• Disable the web server component in the Cogent DataHub installation
• Configure network security to block access to the Cogent DataHub web server from untrusted locations
• Delete the file: C:\Program files (x86)\Cogent\Cogent DataHub\require\AJAXSupport.g and then re-start the Cogent DataHub process