Cscape Envision RV version 4.60 is vulnerable to an out-of-bounds read and write vulnerability when parsing project files due to a lack of proper validation of user-supplied data. This could result in reads and writes past the end of allocated data structures, which could lead to an attacker executing arbitrary code. CVE-2023-0621, CVE-2023-0622, and CVE-2023-0623 have been assigned to these vulnerabilities, with a CVSS v3 base score of 7.8. Horner Automation has fixed these vulnerabilities in Version 4.70, and recommends all users update affected devices to the latest versions. To minimize the risk of exploitation, CISA recommends users take defensive measures such as minimizing network exposure for all control system devices and/or systems, and ensuring they are not accessible from the Internet. Additionally, they suggest using secure methods such as Virtual Private Networks when remote access is required. Organizations observing suspected malicious activity should report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.
This Cyber News was published on us-cert.cisa.gov. Publication date: Thu, 09 Feb 2023 17:49:02 +0000