"Several Horner PLC Software Vulnerabilities Allow Code Execution via Malicious Font Files"
A cybersecurity researcher named Micahel Heinzl has recently discovered a total of seven high-severity remote code execution vulnerabilities in Horner Automation’s Cscape product, and they can all be exploited using malicious font files. Horner Automation is a US-based company that provides solutions for industrial process and building automation. Its Cscape programmable logic controller (PLC) software provides ladder diagram programming and operator interface development capabilities. According to the US Cybersecurity and Infrastructure Security Agency (CISA), Cscape is used worldwide, including in the critical manufacturing sector. Four of the vulnerabilities were discovered in 2021 and three in 2022. The first round of vulnerabilities was disclosed in May 2022, and CISA and the researcher published advisories for the second round of vulnerabilities in early October. CISA noted that the vendor has released updates that should patch all of these security holes. Heinzl described the vulnerabilities as heap-based buffer overflow, out-of-bounds read/write, and uninitialized pointer issues related to improper validation of user-supplied data when the application parses fonts. Heinzl noted that an attacker can exploit the flaws to execute arbitrary code in the context of the current process by getting a user to open a specially crafted font file. Opening a malicious font file can result in the attacker’s code getting executed with the privileges of the user who launched the application.