Security Week 05: critical vulnerabilities of medical devices

On January 23, the U.S. Department of Homeland Security responsible for cyberthreats released six serious vulnerabilities in medical devices (newssource document) Problems were found in GE hospital equipment, including the Carescape B450, 650, and 850 medical monitors. On the CVSSv3 scale, five vulnerabilities scored 10 points – the highest rating, indicating the possibility of remote operation without special skills. Disclosure of data on problems in specialized equipment occurs infrequently and allows you to assess the level of security of such devices.

In the photo above – one of the devices mentioned in the message, a monitor Carescape B650. There are no specifications on the site, and even in datasheet The hardware platform and operating system used are not specified. But the date in the document (2010) indicates the obvious problem of such equipment: it is expensive, it is used for a long time. In fact, it is an independent computer with a 15-inch display, capable of working autonomously and connecting to a wired or wireless network for data transfer.

Two vulnerabilities are relevant for this device: CVE-2020-6962 describes a problem with the validation of entered data in the web interface, which can lead to the execution of arbitrary code. CVE-2020-6965, apparently, hints at an insecure software update system that allows you to upload arbitrary files to the monitor without authorization.

The description of other vulnerabilities includes embedded SSH keys for remote access in server equipment, embedded data for access via SMB protocol, the ability to remotely transmit keystrokes without authorization, and weak encryption when connecting via VNC protocol. All six vulnerabilities were discovered by CyberMDX, a little more about them is described in this publication on the Bleeping Computer website. They affect both Linux-based systems, where the problem was detected in an outdated version of the Webmin admin panel, and “field” devices based on Windows XP Embedded (it was there that they found wired passwords for access via SMB). Older versions or incorrect configurations are also responsible for remote keyboard access (via Multimouse and Kavoom! Software).

The recommendations of the American agency are obvious: isolate the network with medical equipment, prohibit remote access via SSH, VNC, SMB protocols, restrict physical access to control servers, change default passwords, and introduce the practice of using secure passwords by personnel. The device manufacturer is working to close some of the vulnerabilities, but the release of patches has not yet been reported.

Vulnerabilities in medical equipment directly threaten people’s lives. Practical attacks, information of which falls into the media, are mainly limited to encrypting data with subsequent extortion (example, yet example) Specialized devices with a long life, irregular software updates and security audits can serve as an entry point into the organization’s computer network. Traditional attacks are followed by manipulations with computer devices that determine, for example, the dose of a medicine (example) Fortunately, such scenarios are usually implemented only in the laboratory. In any case, the medical IT infrastructure may well be classified as critical. And unlike the energy industry, hospitals and clinics most often exist in the face of a chronic lack of funding.

What else happened

At Trend Micro have created realistic industrial production hanipot, even with a website and mail server of a non-existent company. In detail report The results of the work of the hanipot for six months are given. Nothing particularly interesting: attacks by encryption trojans, and in one case the attack was fake. Someone renamed a pack of files with their hands and demanded a ransom. In rare cases, there were attempts to control industrial controllers, but it didn’t go beyond the experiments (in one case, the experiment ended with a successful shutdown of the virtual machine).

Serious vulnerability Found in Cisco Webex Conferencing Service. If you know the conference call number, you can connect to it without authorization from a mobile device. Solved by updating mobile versions of software.

Kaspersky Lab explored Shlayer Trojan targeting macOS computers. Yes, attackers still offer to upgrade Flash Player. But new methods of spreading the trojan are used in addition to traditional banners on sites with torrents. Mentioned attempts to insert malicious links into Wikipedia and video descriptions on YouTube.

Detected vulnerability bypassing authorization in the Cisco Firepower Management Center web interface, which is used to manage network devices.

In Safari Browser discovered insufficient user protection in incognito mode. Information from the media, a technical report of researchers (from Google) has not yet been published.

Fresh Data Leaks: Microsoft for almost a month held open access technical support database with information for 14 years. If the database got to the attackers, it can be used for effective social engineering “on behalf of Microsoft”, which is already a serious problem in the West.

Similar Posts

Leave a Reply