Armis company has released details of nine vulnerabilities collectively known as the PwnedPiper problem. The problem affects medical equipment installed in about 80% of large hospitals in North America.
The vulnerabilities are related to the TransLogic Pneumatic Tube Systems (PTS), manufactured by Swisslog Healthcare. Similar to the classic pneumatic tube, the Translogic PTS is used in healthcare facilities to quickly move medical materials (laboratory samples, drugs, etc.) through special tubes that connect departments in large hospitals. Such systems are installed in more than 3000 medical institutions around the world.
Experts from IoT security firm Armis say they have found nine vulnerabilities in the Nexus Control Panel, the software used to control Translogic PTS.
Although the vulnerabilities can only be exploited if an attacker is connected to the hospital’s internal network and has a foothold in it, PwndPiper’s problems were deemed extremely serious due to the prevalence of Translogic PTS systems in North America.
Since the bugs were discovered back in May, the developers of Swisslog Healthcare have already prepared patches: the company has released the Nexus Control Panel version 7.2.5.7, where all vulnerabilities are fixed except one (CVE-2021-37160), a patch for which is expected at the end of the current of the year.
In general, the following flaws were found in the Translogic PTS, which were named by PwnedPiper:
- CVE-2021-37163: two cases of active hard-coded passwords (ures and root accounts) accessible via Telnet;
- CVE-2021-37167: privilege escalation (using hardcoded credentials, an attacker can run a custom script with root privileges)
- CVE-2021-37166: Denial of Service (DoS) caused by the Nexus Control Panel GUI process;
- CVE-2021-37161: insufficient amount of resources in udpRXThread;
- CVE-2021-37162: overflow in sccProcessMsg;
- CVE-2021-37165: overflow in hmiProcessMsg;
- CVE-2021-37164: three times stack overflow in tcpTxThread;
- CVE-2021-37160: most dangerous vulnerability, firmware updates in the Nexus Control
Panel are available without authentication, encryption or signature verification.
Let me remind you that I reported that BlackMatter ransomware attacks companies with revenues above $ 100 million, including many hospitals.