Horner Automation Cscape

Plan Patch7.8ICS-CERT ICSA-22-277-03Oct 4, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Horner Automation Cscape versions 9.90 SP7 and earlier contain out-of-bounds write (CWE-787) and undefined behavior (CWE-824) vulnerabilities that allow local attackers to execute arbitrary code with the privileges of the user running the application. The vulnerabilities are not remotely exploitable and require local system access and user interaction. No known public exploits exist.

What this means

What could happen

An attacker with local access to a machine running Cscape could execute arbitrary code with the privileges of the user running the application, potentially allowing unauthorized changes to industrial control logic or parameter settings.

Who's at risk

Organizations operating industrial control systems programmed or maintained with Horner Automation Cscape, including water treatment facilities, manufacturing plants, and power distribution systems. Engineering and control personnel who use Cscape workstations to develop, deploy, or troubleshoot PLC logic are the primary risk.

How it could be exploited

An attacker must first gain local access to a computer where Cscape is installed—for example, through physical access, a USB drive, or a compromised network share. Once local, the attacker can exploit a memory corruption or bounds-checking flaw to run arbitrary code on that machine. If the Cscape workstation is used to program or monitor PLCs or other control devices, the attacker could alter program logic or parameters.

Prerequisites

Local access to the Cscape workstation
User interaction (user must run or interact with a malicious file or process)
Cscape version 9.90 SP7 or earlier installed

Local attack vector onlyUser interaction requiredLow exploitation complexityMemory corruption vulnerabilityCan lead to code execution on engineering workstation

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Cscape: <=9.90_SP_7≤ 9.90 SP 79.90 SP8

Cscape: <=9.90_SP_6≤ 9.90 SP 69.90 SP8

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cscape to version 9.90 SP8 or later

Long-term hardening

0/2

HARDENINGRestrict local access to Cscape workstations through physical and logical controls (e.g., locked rooms, access lists, disable unused USB ports)

HARDENINGEnforce user awareness training on not executing untrusted files or accepting files from untrusted sources on engineering workstations

CVEs (3)

CVE-2022-3379 CVE-2022-3378 CVE-2022-3377

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f3c87a78-9ae2-4922-881b-f67e6d53cba6