Horner Automation Cscape

Plan Patch7.8ICS-CERT ICSA-19-050-03Feb 19, 2019

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Improper input validation in Horner Automation Cscape 9.80 SP4 and earlier (CWE-20) allows a local attacker who can provide malicious input to crash the application, read confidential information, or execute arbitrary code. The vulnerability requires user interaction such as opening a crafted file.

What this means

What could happen

An attacker with local access to an engineering workstation running Cscape could crash the application, read sensitive project files, or execute arbitrary code on the workstation, potentially compromising automation system configurations and credentials.

Who's at risk

Automation engineers and operators managing Horner Automation programmable logic controllers (PLCs) and motion controllers via Cscape software. This affects engineering departments at manufacturing facilities, water treatment plants, HVAC systems, and any facility using Horner Automation equipment for process control.

How it could be exploited

An attacker must first gain local access to a workstation running Cscape (e.g., through social engineering, malware delivery, or physical access). The attacker then opens a specially crafted file or provides malicious input that triggers an improper input validation flaw. This causes the application to crash, allowing information disclosure, or in worse cases, the attacker gains code execution within the Cscape process running on that workstation.

Prerequisites

Local access to an engineering workstation running Cscape 9.80 SP4 or earlier
User interaction required (opening a malicious file or accepting untrusted input)
No valid Horner Automation credentials needed for the local attack

Local access requiredUser interaction requiredImproper input validation (CWE-20)Could lead to information disclosure of sensitive automation configurationsCould enable arbitrary code execution on engineering workstation

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Cscape: 9.80 SP4 and prior≤ 9.80 SP49.90 or later

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict physical and remote desktop access to engineering workstations running Cscape to trusted personnel only

HARDENINGEducate automation engineers not to open untrusted files or accept suspicious input on Cscape workstations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cscape to Version 9.90 or later

Long-term hardening

0/1

HARDENINGMonitor for unusual Cscape process crashes or unexplained behavior on engineering workstations

CVEs (1)

CVE-2019-6555

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/af484805-e730-45c0-9946-1d3cc770de0d