Everest Software Fixes Vulnerabilities

Tuesday, September 22, 2015 @ 05:09 PM gHale

Everest Software LLC produced a new version to mitigate two-pointer dereference vulnerabilities in its PeakHMI application, according to a report on ICS-CERT.

Independent researcher, Josep Pi Rodriguez, who discovered the vulnerabilities, tested the new version to validate it resolves the remotely exploitable vulnerabilities.
Fiat Auto Vulnerability Update


Schneider Mitigates Plaintext Hole
CODESYS Gateway Server Fixed
GE Mitigates MDS PulseNET Holes
Advantech Fixes Buffer Overflow

PeakHMI versions prior to suffer from the issue.

An attacker who exploits these vulnerabilities with the video server enabled could remotely crash the service.

Everest Software LLC is a United States-based company. PeakHMI is a human-machine interface (HMI) product used in industrial control systems. PeakHMI products see action across most industrial sectors. Everest Software estimates these products see use primarily in the United States but do have global applications.

The researcher found two separate instances where a specially crafted packet could cause the program to dereference a pointer. This can only end up exploited with the video server enabled.

CVE-2015-6454 is the case number assigned to these vulnerabilities, which has a CVSS v2 base score of 5.0.

No known public exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities.

Everest Software addressed these problems in the latest version ( of PeakHMI. Users can check for a new version anytime from within the program and get an update. There is no charge for upgrades or updates. Users can also find the new version on the PeakHMI web site.