Horner Automation has a new version to mitigate an improper input validation vulnerability in its Cscape, according to a report with NCCIC.
Successful exploitation of this vulnerability, discovered by an anonymous researcher working with Trend Micro’s Zero Day Initiative, could crash the device being accessed, which may allow the attacker to read confidential information and remotely execute arbitrary code.
A control system application programming software, Cscape 9.80 SP4 and prior suffer from the issue.
In the vulnerability, an improper input validation issue may be exploited by processing specially crafted POC files. This may allow an attacker to read confidential information and remotely execute arbitrary code.
CVE-2019-6555 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.
Horner Automation recommends affected users update to the latest version of Cscape (Version 9.90).
Outside the Americas, click to download here.
Users with questions regarding specific Cscape installations should contact a local Horner Automation service support team at the following email addresses or telephone numbers or +1-317-916-4274.
Outside the Americas email here or call +353-(0)21-4321266 ext. 202.