A cybersecurity researcher has discovered a total of seven high-severity remote code execution vulnerabilities in Horner Automation’s Cscape product and they can all be exploited using malicious font files.
Horner Automation is a US-based company that provides solutions for industrial process and building automation. Its Cscape programmable logic controller (PLC) software provides ladder diagram programming and operator interface development capabilities. According to the US Cybersecurity and Infrastructure Security Agency (CISA), Cscape is used worldwide, including in the critical manufacturing sector.
Researcher Michael Heinzl has discovered seven vulnerabilities in Cscape: four in 2021 and three in 2022. The first round of vulnerabilities was disclosed in May 2022, and CISA and the researcher published advisories for the second round of vulnerabilities in early October. According to CISA, the vendor has released updates that should patch all of these security holes.
Heinzl described the vulnerabilities as heap-based buffer overflow, out-of-bounds read/write, and uninitialized pointer issues related to improper validation of user-supplied data when the application parses fonts.
An attacker can exploit the flaws to execute arbitrary code in the context of the current process by getting a user to open a specially crafted font file. The researcher told SecurityWeek that the application does include specific features for dealing with fonts. This can increase an attacker’s chances of getting a user to open the malicious files using social engineering techniques.
Opening a malicious font file can result in the attacker’s code getting executed with the privileges of the user who launched the application.
These are not the only industrial control system (ICS) vulnerabilities identified by Heinzl. In the past two years, the researcher disclosed flaws found in industrial products made by Elcomplus, the CX-Programmer PLC programming software from Omron, Fuji Electric’s Tellus factory monitoring and operating product, Delta Electronics’ DIAEnergie industrial energy management system, and the myPRO HMI/SCADA product of mySCADA.