OTPulse
FeedAboutContact

Horner Automation Cscape EnvisionRV

Plan Patch7.8ICS-CERT ICSA-21-355-02Dec 21, 2021
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Cscape EnvisionRV versions 4.50.3.1 and prior contain an improper input validation vulnerability (CWE-20) that allows arbitrary code execution when processing malicious project files. Successful exploitation executes code in the context of the EnvisionRV process. The vulnerability is not remotely exploitable and requires a user to open a malicious project file. Horner Automation has released version 4.60 to remediate this issue.

What this means
What could happen
An attacker could execute arbitrary code on a machine running Cscape EnvisionRV, potentially allowing them to modify or stop industrial control projects or compromise the engineering workstation itself.
Who's at risk
This affects organizations using Horner Automation Cscape EnvisionRV for engineering and configuration of Horner PLCs and other industrial devices. Engineering workstations and configuration servers running v4.50.3.1 or earlier are at risk if users receive or access malicious project files.
How it could be exploited
An attacker must trick a user into opening a malicious project file in Cscape EnvisionRV. The vulnerability is triggered when the project file is processed, allowing code execution in the context of the EnvisionRV process running on that workstation.
Prerequisites
  • User must open a malicious Cscape project file
  • Cscape EnvisionRV v4.50.3.1 or earlier must be installed
  • Local access to the engineering workstation
Local access requiredSocial engineering attack vectorLow complexity exploitationArbitrary code execution on engineering workstation
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Cscape EnvisionRV: v4.50.3.1 and prior≤ 4.50.3.14.60
Remediation & Mitigation
0/3
Do now
0/2
WORKAROUNDOnly open Cscape project files from trusted sources; do not open unsolicited project files received via email or other channels
WORKAROUNDTrain engineering staff to avoid clicking links or opening attachments in unsolicited emails
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cscape EnvisionRV to version 4.60 or later
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/2334ebca-90d9-4bc2-8028-817238636d0f
Horner Automation Cscape EnvisionRV | CVSS 7.8 - OTPulse