Security Experts:

Several Horner PLC Software Vulnerabilities Allow Code Execution via Malicious Font Files

A cybersecurity researcher has discovered a total of seven high-severity remote code execution vulnerabilities in Horner Automation’s Cscape product and they can all be exploited using malicious font files.

Horner Automation is a US-based company that provides solutions for industrial process and building automation. Its Cscape programmable logic controller (PLC) software provides ladder diagram programming and operator interface development capabilities. According to the US Cybersecurity and Infrastructure Security Agency (CISA), Cscape is used worldwide, including in the critical manufacturing sector.

Researcher Michael Heinzl has discovered seven vulnerabilities in Cscape: four in 2021 and three in 2022. The first round of vulnerabilities was disclosed in May 2022, and CISA and the researcher published advisories for the second round of vulnerabilities in early October. According to CISA, the vendor has released updates that should patch all of these security holes.

2022 ICS Cyber Security Conference

Heinzl described the vulnerabilities as heap-based buffer overflow, out-of-bounds read/write, and uninitialized pointer issues related to improper validation of user-supplied data when the application parses fonts.

An attacker can exploit the flaws to execute arbitrary code in the context of the current process by getting a user to open a specially crafted font file. The researcher told SecurityWeek that the application does include specific features for dealing with fonts. This can increase an attacker’s chances of getting a user to open the malicious files using social engineering techniques.

Opening a malicious font file can result in the attacker’s code getting executed with the privileges of the user who launched the application.

These are not the only industrial control system (ICS) vulnerabilities identified by Heinzl. In the past two years, the researcher disclosed flaws found in industrial products made by Elcomplus, the CX-Programmer PLC programming software from Omron, Fuji Electric’s Tellus factory monitoring and operating product, Delta Electronics’ DIAEnergie industrial energy management system, and the myPRO HMI/SCADA product of mySCADA.

Related: Russia-Linked Pipedream/Incontroller ICS Malware Designed to Target Energy Facilities

Related: ICS Patch Tuesday: Siemens, Schneider Fix Several Critical Vulnerabilities

Related: Critical Vulnerabilities Found in Sealevel Device Used in ICS Environment

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.