Supports OPC UA and OPC Classic (DA) Server and Client connections.
Connects to OPC DA 3.0 servers (and 2.05a servers that support browsing).
Accepts connections from OPC DA 3.0 or 2.05a clients.
Connects to OPC A&E servers and clients.
Supports DDE Server and Client connections.
Supports mirroring of data to the Cascade DataHub running in Linux kernel version 2.4.18 or later.
Supports live data in a web browser using Silverlight, ASP, AJAX and Java.
Supports custom TCP/IP connections through Java, .NET and C++ DataHub APIs.
Supports Windows GUI development through built-in Scripting language.
Supports ODBC compliant database access.
Data transmission rates are client dependent, but are typically thousands of points per second.
Automatic reconnect on a network break and recovery, no intervention required.
No point list configuration, the DataHub creates points as they are needed.
Superior publish/subscribe data model, no polling delays and no transmission of static data values.
13-09-2011 ICS-CERT Security Update Cogent DataHub vulnerability found and fixed
On September 13, 2011, the Industrial Control Systems Cyber Emergency Response Team of the U.S. Department of Homeland Security (ICS-CERT) notified Cogent that version 7 of the Cogent DataHub was vulnerable to denial of service, information leaks, and possible remote code execution by remote hackers. The report recommended that users of the Cogent DataHub minimize network exposure to control system devices, locate control systems behind firewalls, and if remote access is required, to use secure methods such as VPNs. In response to this report, Cogent’s development team has located, fixed, and tested for the vulnerabilities in question, incoporating the fixes in a new release of the Cogent DataHub, version 7.1.2, now available for download. Cogent encourages users of the Cogent DataHub to download and install version 7.1.2 of the Cogent DataHub where possible. Users of the OPC DataHub or Cascade DataHub should contact Cogent to download v6.4.20. Users who cannot upgrade should implement the following guidelines to minimize network exposure of their control systems. There are two classes of vulnerability:
TCP ports 4502/4503 (applies only to Cogent DataHub v7). These are the tunnel/mirror ports. If you are not using these ports, turn them off in the Tunnel/Mirror properties of the DataHub. If you are using these ports, the vulnerability cannot be exploited as long as you require authentication on all TCP connections. To do so, in the Security properties of the DataHub you should remove all permissions for the special UserNames “TCP” and “Mirror”, create a group for users who are authorized, and allow “BasicConnectivity” for that group. The DataHub will then refuse all commands from unauthenticated TCP connections, and still allow authenticated users to connect.
Web server, typically port 80 (applies to Cogent DataHub v7, as well as OPC DataHub and Cascade DataHub v6). If you are not using the DataHub Web Server, turn it off in the Web Server properties. If you are using the DataHub Web Server and exposing it to the Internet, you can configure user and password authentication in the DataHub Web Server. This will force all web browser connections to the Web Server to authenticate. This will be less convenient for your users, and may slow down page loading, but will block attackers from exploiting any of the listed vulnerabilities.
In both cases, if you are not intending for people to connect to the DataHub from the Internet, block ports 4502, 4503, 80 and 943 at your firewall, and only allow connections on these ports from within your local area network. In summary, if you cannot upgrade, all of these exploits can be blocked by security configuration in the DataHub, and further protected against through firewall configuration. If you are running any version of the DataHub in an untrusted environment, you should upgrade to Cogent DataHub v7.1.2, or OPC DataHub v6.4.20 or Cascade DataHub v6.4.20.
05-04-2013 ICS-CERT Security Update Cogent DataHub vulnerability found and fixed
On April 5, 2013, the Industrial Control Systems Cyber Emergency Response Team of the U.S. Department of Homeland Security (ICS-CERT) issued an advisory regarding several vulnerabilities found in version 7.2.2 of the Cogent DataHub and related software. As reported in this advisory, Cogent’s development team has located, fixed, and tested for the vulnerabilities in question, incorporating the fixes in new releases of the Cogent DataHub, QuickTrend, OPC DataHub, and Cascade DataHub for Windows. These new versions are currently available for download. In brief, the vulnerabilities include:
A malformed expression or random data sent to the Cogent DataHub via TCP could cause it to crash, due to improper input validation or exception handling.
An attempt to send an HTTP request with an unusually long header to the DataHub Web Server could result in a buffer overflow and Cogent DataHub crash.
DataSim and DataPid could crash if connected to a server other than the Cogent DataHub. This is not deemed a risk as these programs are not used in production systems.
The advisory included the following mitigation strategies recommended by Cogent:
Turn off Ports 4502/TCP and 4503/TCP if they are not being used. This can be done in the Tunnel/Mirror properties of the Cogent DataHub.
If access to the application from the Internet is not required, block Ports 4502/TCP and 4503/TCP at your firewall, and only allow connections on these ports from within your local area network.
If the DataHub Web server is not being used, turn it off in the Web server properties.
If access to DataHub from the Internet is not required, block Port 80/TCP at your firewall, and only allow connections on this port from within your local area network.
These vulnerabilities are fixed in the following software versions. You can download and install one of these more recent versions.
Cogent DataHub Version 7.3.0
DataHub QuickTrend Version 7.3.0
OPC DataHub Version 6.4.22
Cascade DataHub for Windows Version 6.4.22
The advisory also encouraged users of the Cogent DataHub to take the following additional security measures, which make sense for almost any industrial application:
Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
12-07-2013 ZDI-CAN-1915 Security Update – Cogent DataHub vulnerability found and fixed
On June 25, 2013, the TippingPoint Zero Day Initiative (ZDI) notified Cogent of an upcoming advisory of a vulnerability found in version 7.3.0 of the Cogent DataHub. This vulnerability is not present in any other released version of the Cogent DataHub. Cogent’s development team has located, fixed, and tested for the vulnerability in question, incorporating the fix in new releases of the Cogent DataHub, now available for download. For more information, see the ZDI advisory ZDI-CAN-1915 at www.zerodayinitiative.com. Anybody running Cogent DataHub version 7.3.0 or any beta version of 7.3.1 should upgrade to the version 7.3.1 release on Cogent’s web site as soon as possible. The new version can be installed directly over an existing installation, and all configuration and licenses will be preserved. Cogent thanks Andrea Micalizzi and HP’s Zero Day Initiative for responsibly disclosing this vulnerability.
27-10-2015 ZDI-CAN-2981 Security Update Cogent DataHub vulnerability found and fixed
As part of our ongoing commitment to security, Cogent has released a new version of the Cogent DataHub, bringing our software installations up to OpenSSL version 1.0.2d. This fixes 7 vulnerabilities in the OpenSSL libraries since version 1.0.2a, which is the previous SSL version to ship with the Cogent DataHub. In addition, we have fixed a critical vulnerability in the Cogent DataHub, known as ICS-VU-780001 or ZDI-CAN-2981, that could facilitate remote code execution via the DataHub’s built-in web server. We strongly recommend that you upgrade to version 7.3.9 (or later) of the Cogent DataHub if either of these conditions is true in your installation:
You have configured the DataHub web server or DataHub tunnelling to accept connections over SSL. By default the DataHub is configured to accept SSL tunnelling connections on port 4503.
You are exposing the DataHub web server or tunnelling ports to an untrusted network, such as the Internet.
To upgrade, if you are running any version of Cogent DataHub version 7, or if you are on our Support and Maintenance Plan, you may download and use the latest version from our web site. If you are running earlier versions of the DataHub, such as OPC DataHub version 6.4 or earlier, please contact Cogent to discuss options for upgrading. If you have any questions or concerns, please contact us.