Horner Automation Cscape

Plan Patch7.8ICS-CERT ICSA-24-011-04Jan 11, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Cscape versions 9.90_SP10 and earlier contain a buffer overflow vulnerability (CWE-121) in file parsing that allows arbitrary code execution when a user opens a malicious file. The vulnerability requires local access to the workstation and user interaction. Horner Automation has released Cscape version 9.90 SP11 as a fix. No public exploitation has been reported.

What this means

What could happen

An attacker with local access to a Cscape engineering workstation could execute arbitrary code with the privileges of the logged-in user, potentially allowing them to modify control logic, create backdoors, or alter process parameters.

Who's at risk

Engineering teams and automation technicians at utilities, water systems, and industrial facilities who use Horner Automation Cscape software to design, program, and maintain industrial control logic. This affects anyone who develops or modifies configuration on Horner PLCs and other Horner devices through Cscape.

How it could be exploited

An attacker must first gain local file system access to a machine running Cscape (via malware delivery, social engineering, or physical access). The attacker then exploits a memory corruption vulnerability (CWE-121 buffer overflow) to execute arbitrary code when a legitimate user opens a specially crafted file in Cscape. No network connectivity to the PLC is required for the exploit itself, but the attacker could use the compromised workstation to access the industrial network afterward.

Prerequisites

Local file system access to Cscape workstation
Cscape version 9.90_SP10 or earlier installed
User interaction required (opening a malicious file)
Attacker must craft a file that triggers the buffer overflow when parsed by Cscape

Local access required (not remotely exploitable)User interaction needed (file must be opened)Buffer overflow vulnerability (CWE-121)No patch currently available (advisory recommends upgrade path)Affects engineering workstations that can reach industrial networks

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

Cscape: <=9.90_SP10≤ 9.90 SP109.90 SP11

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict local access to Cscape engineering workstations; limit who can log in and use the system

HARDENINGIsolate Cscape workstations from the internet and business networks; place them on a secure engineering network with access controls

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Cscape to version 9.90 SP11 or later

HARDENINGImplement application whitelisting on Cscape workstations to prevent execution of unauthorized software

Long-term hardening

0/1

HARDENINGTrain engineering staff to avoid opening files from untrusted sources or unexpected emails containing attachments

CVEs (1)

CVE-2023-7206

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2dbf59bc-5885-4496-93a5-3e66bda320d2