OTPulse
FeedAboutContact

Everest Software PeakHMI Pointer Dereference Vulnerabilities

Low RiskICS-CERT ICSA-15-232-01May 23, 2015
Summary

PeakHMI versions prior to 8.7.0.2 contain pointer dereference vulnerabilities (CWE-822) that could allow an attacker to crash the application or potentially execute arbitrary code. The vendor has not planned a fix for this vulnerability, and the product appears to be unsupported.

What this means
What could happen
A pointer dereference flaw in PeakHMI could allow an attacker to crash the HMI application or potentially execute arbitrary code, disrupting operator visibility and control of manufacturing processes.
Who's at risk
Manufacturing facilities using Everest Software PeakHMI for process visualization and control should be concerned. This affects any operation relying on PeakHMI for operator interface to PLCs, process equipment, or safety monitoring systems.
How it could be exploited
An attacker would need to send a specially crafted input or interaction to the PeakHMI application that triggers the pointer dereference. This could occur through network connectivity to the HMI system or local access, depending on how the vulnerable code path is reached.
Prerequisites
  • Network or local access to PeakHMI application
  • Ability to send crafted input to trigger vulnerable code path
no patch availablepointer dereference can cause denial of service or code executionend-of-life product with no vendor support planned
Exploitability
Moderate exploit probability (EPSS 1.1%)
Affected products (1)
ProductAffected VersionsFix Status
PeakHMI: <8.7.0.2<8.7.0.2No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDMonitor PeakHMI for unexpected crashes or restarts that may indicate exploitation attempts
Mitigations - no patch available
0/3
PeakHMI: <8.7.0.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to restrict access to PeakHMI systems; limit connectivity to trusted engineering and operations networks only
HARDENINGImplement input validation and filtering at network ingress points to detect and block malformed requests targeting PeakHMI
HARDENINGEvaluate upgrade path to alternative HMI software with active vendor support, as no patch is planned for PeakHMI
View full CISA ICS-CERT advisory
โ†‘โ†“ Navigate ยท Esc Close
API: /api/v1/advisories/af27e5a6-2d2c-4cc5-9f07-001d5f4bb9ea