The software used to control pneumatic tubes in over 3,000 hospitals around the world has nine critical vulnerabilities that could halt hospital operations if exploited by a savvy attacker.
Discovered by researchers at security platform provider Armis and dubbed PwnedPiper, the vulnerabilities are in the Nexus Control Panel software used by Translogic pneumatic tube systems (PTS) built by Swisslog Healthcare. Tube systems in hospitals are commonly used to deliver medicine, transport blood and other essential medical supplies, and send lab samples across buildings that would take considerable time to deliver on foot. According to Swisslog Healthcare, their automated transport systems are used in over 2,300 hospitals in North America and over 3,000 worldwide.
SEE: Security incident response policy (TechRepublic Premium)
PTS are often internet connected, Armis said, but “despite the prevalence of these systems, and the reliance of hospitals on their availability to deliver care, the security of these systems has never been thoroughly analyzed or researched.”
Five of the vulnerabilities in PwnedPiper involve remote code execution, which an attacker could use to access a hospital network and then take over Nexus stations. Control over a Nexus station can be used to harvest data on hospital staff and computer systems, as well as acquire network layouts used to move laterally and launch ransomware attacks.
Armis describes the nine vulnerabilities it uncovered, as “critical.” They include:
- CVE-2021-37163 – Two hardcoded passwords that are accessible through the Telnet server on the Nexus Control Panel
- CVE-2021-37167 – Privilege escalation vulnerability due to a user script being run by root
- CVE-2021-37161 – Memory corruption bug in the implementation of the TLP2-0 protocol: Underflow in udpRXThread
- CVE-2021-37164 – Memory corruption bug in the implementation of the TLP2-0 protocol: Off-by-three stack overflow in tcpTxThread
- CVE-2021-37165 – Memory corruption bug in the implementation of the TLP2-0 protocol: Overflow in hmiProcessMsg
- CVE-2021-37162 – Memory corruption bug in the implementation of the TLP2-0 protocol: Overflow in sccProcessMsg
- CVE-2021-37166 – GUI socket Denial Of Service
CVE-2021-37160 – Unauthenticated, unencrypted, unsigned firmware upgrade
According to the company, a successful attacker could control the entire tube network and its stations by exploiting the Nexus Control Panel software. In addition, Armis warns that an attacker “could enable sophisticated ransomware attacks that can range from denial-of-service of this critical infrastructure to full-blown man-in-the-middle attacks that can alter the paths of the networks’ carriers, resulting in deliberate sabotage of the workings of the hospital.”
“Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments,” said Nadir Izrael, co-founder and CTO at Armis.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
The number of attacks against hospitals and medical facilities has been on a steady increase since the outbreak of the COVID-19 pandemic. Several hospitals have faced ransomware attacks, painting the threat of ransomware and cyberattacks against the healthcare industry in stark light: It’s not a possibility, it’s reality.
Swisslog will release patch v220.127.116.11
Armis told Swisslog about its Nexus PTS control software vulnerability on May 1, 2021, and reports that it has been working with the company to ensure patches are available and proper security measures are clearly outlined for customers. As a result, Swisslog has released a security advisory and is expected to release a patch for the disclosed vulnerabilities on August 2. According to the company, this patch, v18.104.22.168, “will resolve all disclosed vulnerabilities, except the unsigned firmware upgrade vulnerability (CVE-2021-37160), which will be resolved in a future release.”
Armis’ Ben Seri and Barak Hadad, the researchers behind the report, will be presenting their discoveries at Black Hat USA, and Armis has published information for hospitals on how to fight PwnedPiper.