CVE-2023-32545
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code by exploiting improper input validation in Cscape project file parsing. An attacker can craft malicious project files to trigger an out-of-bounds read in the CANPortMigration component, potentially gaining control of the affected system. This affects industrial control systems using vulnerable versions of Cscape software.
💻 Affected Systems
- Horner Automation Cscape
📦 What is this software?
Cscape by Hornerautomation
Cscape Envisionrv by Hornerautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the industrial control system, potentially enabling sabotage, data theft, or disruption of critical operations.
Likely Case
Local privilege escalation or remote code execution on systems where malicious project files can be loaded, leading to unauthorized access to industrial control networks.
If Mitigated
Limited impact with proper network segmentation and file validation controls preventing malicious files from reaching vulnerable systems.
🎯 Exploit Status
Exploitation requires the attacker to supply a malicious project file that gets parsed by the vulnerable component. This typically requires some level of access or social engineering.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 11.00.00.00 and later
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-23-143-04
Restart Required: Yes
Instructions:
1. Download Cscape version 11.00.00.00 or later from Horner Automation
2. Uninstall previous vulnerable versions
3. Install the updated version
4. Restart the system
🔧 Temporary Workarounds
Restrict project file sources
allOnly allow project files from trusted sources and implement file validation
Network segmentation
allIsolate Cscape systems from untrusted networks and implement strict firewall rules
🧯 If You Can't Patch
- Implement strict access controls to prevent untrusted project files from being loaded
- Deploy application whitelisting to only allow execution of trusted applications
🔍 How to Verify
Check if Vulnerable:
Check Cscape version in Help > About menu. Versions below 11.00.00.00 are vulnerable.Check Version:
Check Help > About in Cscape application interfaceVerify Fix Applied:
Verify version is 11.00.00.00 or higher in Help > About menu after patching.📡 Detection & Monitoring
Log Indicators:
- Unexpected crashes of Cscape application
- Unusual file parsing errors in application logs
- Access to project files from untrusted sources
Network Indicators:
- Unexpected network connections from Cscape process
- Transfer of project files from external sources
SIEM Query:
Process: Cscape.exe AND (EventID: 1000 OR EventID: 1001) OR FileAccess: *.csp FROM untrusted_source