Cogent DataHub XSS and CRLF

Low RiskICS-CERT ICSA-12-016-01Oct 19, 2012

Summary

Cogent DataHub, OPC DataHub, and Cascade DataHub contain cross-site scripting (XSS, CWE-79) and CRLF injection (CWE-94) vulnerabilities in the web interface. An attacker can inject malicious JavaScript code or HTTP header/body content that is reflected in responses to users. XSS allows attackers to steal session cookies, perform actions on behalf of authenticated users, or redirect users to phishing sites. CRLF injection allows attackers to manipulate HTTP responses and inject arbitrary content.

What this means

What could happen

An attacker with network access to the DataHub web interface could inject malicious code that executes in the browsers of users accessing the system, potentially allowing credential theft, session hijacking, or redirection to malicious sites. Attackers could also inject carriage return/line feed characters to manipulate HTTP responses and inject content into web pages.

Who's at risk

Water and utility operators who use Cogent DataHub, OPC DataHub, or Cascade DataHub for SCADA data aggregation and real-time monitoring. This affects any facility using these products to centralize sensor data, alarm management, or operator dashboards. End-of-life status of these products means no vendor patch is available, making network isolation critical.

How it could be exploited

An attacker sends a crafted HTTP request containing JavaScript code or CRLF characters through the DataHub web interface. When an administrator or operator views the affected page in their browser, the injected script executes in their session context, or the CRLF injection allows the attacker to inject arbitrary HTTP headers and content. No special knowledge of the system's internal operations is required—only the ability to reach the web interface on the network.

Prerequisites

Network access to the DataHub web interface (HTTP/HTTPS port, typically 80 or 443)
A user (administrator or operator) must visit a web page or link containing the injected payload

remotely exploitableno patch availableno authentication required to exploit XSS in some contextsend-of-life product

Exploitability

Moderate exploit probability (EPSS 1.1%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

Cogent DataHub: <=7.1.2≤ 7.1.2No fix (EOL)

OPC DataHub: <=6.4.20≤ 6.4.20No fix (EOL)

Cascade DataHub: <=6.4.20≤ 6.4.20No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to the DataHub web interface using a firewall or network segmentation. Only allow connections from trusted engineering workstations and management subnets.

WORKAROUNDImplement a Web Application Firewall (WAF) or proxy to filter malicious input patterns, including angle brackets, JavaScript keywords, and CRLF sequences in HTTP parameters.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor DataHub logs for suspicious HTTP requests containing encoded JavaScript or unusual character sequences (e.g., %0d%0a, %3c, script).

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Cogent DataHub: <=7.1.2, OPC DataHub: <=6.4.20, Cascade DataHub: <=6.4.20. Apply the following compensating controls:

HARDENINGEducate users to avoid clicking untrusted links pointing to the DataHub interface and to be cautious of unexpected administrative notifications or alerts.

CVEs (2)

CVE-2012-0309 CVE-2012-0310

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9ecf8e8f-fd70-48e0-a9dc-011ba145c619