A buffer overflow issue was discovered in the HMI3 Control Panel contained within the Swisslog Healthcare Nexus Panel, operated by released versions of software before Nexus Software 7.2.5.7. A buffer overflow allows an attacker to overwrite an internal queue data structure and can lead to remote code execution.
{"id": "CVE-2021-37161", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-37161", "description": "A buffer overflow issue was discovered in the HMI3 Control Panel contained within the Swisslog Healthcare Nexus Panel, operated by released versions of software before Nexus Software 7.2.5.7. A buffer overflow allows an attacker to overwrite an internal queue data structure and can lead to remote code execution.", "published": "2021-08-02T13:15:00", "modified": "2023-11-07T03:36:00", "epss": [{"cve": "CVE-2021-37161", "epss": 0.02442, "percentile": 0.88819, "modified": "2023-12-06"}], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37161", "reporter": "cve@mitre.org", "references": ["https://www.armis.com/PwnedPiper", "https://www.swisslog-healthcare.com", "https://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37161-bulletin---underflow-in-udprxthread.pdf?rev=9395dad86d0b4811ae4a9e37f0568c2e&hash=3D8571C7A3DCC8B7D8DCB89C2DA4BB8D", "https://www.swisslog-healthcare.com/en-us/customer-care/security-information/cve-disclosures#:~:text=CVE%20Disclosures%20%20%20%20Vulnerability%20Name%20%2C%20%20CVE-2021-37164%20%204%20more%20rows%20"], "cvelist": ["CVE-2021-37161"], "immutableFields": [], "lastseen": "2023-12-06T15:37:24", "viewCount": 47, "enchantments": {"dependencies": {"references": [{"type": "cnvd", "idList": ["CNVD-2021-62181"]}, {"type": "ics", "idList": ["ICSMA-21-215-01"]}, {"type": "prion", "idList": ["PRION:CVE-2021-37161"]}, {"type": "thn", "idList": ["THN:47EF03B4F642B827963627D742199F3E"]}, {"type": "threatpost", "idList": ["THREATPOST:145906567BE4DD61E07423F771D56785"]}]}, "score": {"value": 9.8, "uncertanity": 0.1, "vector": "NONE"}, "twitter": {"counter": 8, "modified": "2021-08-03T07:52:26", "tweets": [{"link": "https://twitter.com/CVEnew/status/1423423275967959043", "text": "CVE-2021-37161 A buffer overflow issue was discovered in the HMI3 Control Panel contained within the Swisslog Healthcare Nexus Panel, operated by released versions of software before Nexus Software 7.2.5.7. A buffer overflow allows an attacker to overwr... https://t.co/eRZcNXGiUk?amp=1"}, {"link": "https://twitter.com/management_sun/status/1422811135275798531", "text": "IT Risk:ICS-CERT.Swisslog Healthcare Translogic PTS\u306b\u8907\u6570\u306e\u8106\u5f31\u6027\nNetwork Appliance\nCVE-2021-37167 CVE-2021-37166 CVE-2021-37165 CVE-2021-37164 CVE-2021-37163 CVE-2021-37162 CVE-2021-37161 CVE-2021-37160 \nhttps://t.co/K3ysbQcirD?amp=1\nhttps://t.co/OymTvVDdSB?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1425170203583959040", "text": " NEW: CVE-2021-37161 A buffer overflow issue was discovered in the HMI3 Control Panel contained within the Swisslog Healthcare Nexus Panel, operated by released versions of software before Nexus Software 7.2.5.7... (click for more) Severity: CRITICAL https://t.co/dm4g3cEAuW?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1425197874556637189", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-37161 (hmi-3_control_panel_firmware)) has been published on https://t.co/sRgHaVMoP0?amp=1"}, {"link": "https://twitter.com/infosecshenoy/status/1422463079049277441", "text": "Vulnerability Name Affected Component CVE# Date Underflow in udpRXThread HMI3 Control Panel in: Nexus Panel CVE-2021-37161 02/08/2021 Overflow in sccProcessMsg HMI3 Control Panel in: Nexus Panel CVE-2021-37162 02/08/2021 Overflow in hmiProcessMsg HMI3 Control Panel in: Nexus\u2026"}, {"link": "https://twitter.com/infosecshenoy/status/1422463079049277441", "text": "Vulnerability Name Affected Component CVE# Date Underflow in udpRXThread HMI3 Control Panel in: Nexus Panel CVE-2021-37161 02/08/2021 Overflow in sccProcessMsg HMI3 Control Panel in: Nexus Panel CVE-2021-37162 02/08/2021 Overflow in hmiProcessMsg HMI3 Control Panel in: Nexus\u2026"}, {"link": "https://twitter.com/www_sesin_at/status/1425197848711290882", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2021-37161 (hmi-3_control_panel_firmware)) has been published on https://t.co/PweHe7dHPO?amp=1"}, {"link": "https://twitter.com/management_sun/status/1422811162031185921", "text": "IT Risk:ICS-CERT.Swisslog Healthcare Translogic PTS Multiple Vulnerabilities\nNetwork Appliance\nCVE-2021-37167 CVE-2021-37166 CVE-2021-37165 CVE-2021-37164 CVE-2021-37163 CVE-2021-37162 CVE-2021-37161 CVE-2021-37160 \nhttps://t.co/K3ysbQcirD?amp=1\nhttps://t.co/OymTvVDdSB?amp=1"}]}, "backreferences": {"references": [{"type": "ics", "idList": ["ICSMA-21-215-01"]}, {"type": "thn", "idList": ["THN:47EF03B4F642B827963627D742199F3E"]}, {"type": "threatpost", "idList": ["THREATPOST:145906567BE4DD61E07423F771D56785"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "swisslog-healthcare hmi-3 control panel firmware", "version": 7}]}, "epss": [{"cve": "CVE-2021-37161", "epss": 0.01511, "percentile": 0.84977, "modified": "2023-05-07"}], "short_description": " Buffer overflow in Swisslog Healthcare Nexus Panel HMI3 Control Pane", "tags": ["cve-2021-37161", "buffer overflow", "swisslog healthcare", "nexus panel", "hmi3 control panel", "remote code execution", "nvd"], "vulnersScore": 9.8}, "_state": {"dependencies": 1701884506, "score": 1701878765, "affected_software_major_version": 0, "epss": 0, "chatgpt": 0}, "_internal": {"score_hash": "e325b71e99e837a581b3743603c08c83", "chatgpt": "bcd8b0c2eb1fce714eab6cef0d771acc"}, "cna_cvss": {"cna": "mitre", "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-120"], "affectedSoftware": [{"cpeName": "swisslog-healthcare:hmi-3_control_panel_firmware", "version": "7.2.5.7", "operator": "lt", "name": "swisslog-healthcare hmi-3 control panel firmware"}], "affectedConfiguration": [{"name": "swisslog-healthcare hmi-3 control panel", "cpeName": "swisslog-healthcare:hmi-3_control_panel", "version": "-", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:swisslog-healthcare:hmi-3_control_panel_firmware:7.2.5.7:*:*:*:*:*:*:*", "versionEndExcluding": "7.2.5.7", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:swisslog-healthcare:hmi-3_control_panel:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://www.armis.com/PwnedPiper", "name": "https://www.armis.com/PwnedPiper", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "https://www.swisslog-healthcare.com", "name": "https://www.swisslog-healthcare.com", "refsource": "MISC", "tags": ["Product"]}, {"url": "https://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37161-bulletin---underflow-in-udprxthread.pdf?rev=9395dad86d0b4811ae4a9e37f0568c2e&hash=3D8571C7A3DCC8B7D8DCB89C2DA4BB8D", "name": "https://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37161-bulletin---underflow-in-udprxthread.pdf?rev=9395dad86d0b4811ae4a9e37f0568c2e&hash=3D8571C7A3DCC8B7D8DCB89C2DA4BB8D", "refsource": "MISC", "tags": ["Vendor Advisory"]}, {"url": "https://www.swisslog-healthcare.com/en-us/customer-care/security-information/cve-disclosures#:~:text=CVE%20Disclosures%20%20%20%20Vulnerability%20Name%20%2C%20%20CVE-2021-37164%20%204%20more%20rows%20", "name": "https://www.swisslog-healthcare.com/en-us/customer-care/security-information/cve-disclosures#:~:text=CVE%20Disclosures%20%20%20%20Vulnerability%20Name%20%2C%20%20CVE-2021-37164%20%204%20more%20rows%20", "refsource": "", "tags": []}], "product_info": [{"vendor": "Swisslog-healthcare", "product": "Hmi-3_control_panel_firmware"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "exploits": [], "assigned": "2021-07-21T00:00:00"}
{"prion": [{"lastseen": "2023-11-22T00:57:05", "description": "A buffer overflow issue was discovered in the HMI3 Control Panel contained within the Swisslog Healthcare Nexus Panel, operated by released versions of software before Nexus Software 7.2.5.7. A buffer overflow allows an attacker to overwrite an internal queue data structure and can lead to remote code execution.", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-08-02T13:15:00", "type": "prion", "title": "Buffer overflow", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37161"], "modified": "2021-08-10T18:42:00", "id": "PRION:CVE-2021-37161", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-37161", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cnvd": [{"lastseen": "2022-11-05T10:21:34", "description": "Swisslog Healthcare Nexus Panel, a medical device from Swisslog Healthcare, is vulnerable to an integer underflow vulnerability in versions prior to Nexus Control Panel 7.2.5.7. An attacker could use this vulnerability to override the internal queue data structure, which could enable remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-04T00:00:00", "type": "cnvd", "title": "Nexus Control Panel Buffer Overflow Vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37161"], "modified": "2021-08-16T00:00:00", "id": "CNVD-2021-62181", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-62181", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-08-03T04:33:54", "description": "Researchers have discovered nine vulnerabilities \u2013 collectively dubbed PwnedPiper \u2013 in the pneumatic tube systems (PTS) used in more than 80 percent of major hospitals in North America.\n\nThe bugs, in Swisslog Healthcare\u2019s Translogic PTS, include hard-coded passwords, unencrypted connections and unauthenticated firmware updates that could lead to remote code execution (RCE). The flaws could give an unauthenticated attacker root control and could let bad actors take over Nexus stations.\n\nThe nine critical vulnerabilities are in the Nexus Control Panel, which powers all current models of Translogic pneumatic tube system (PTS) stations sold by[ Swisslog Healthcare](<https://www.swisslog-healthcare.com/>). \u201cAll current firmware versions of this device are susceptible to these vulnerabilities,\u201d Armis researchers said.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAfter an attacker hijacks a Nexus station, it\u2019s all downhill from there, as Armis [reported](<https://www.armis.com/research/pwnedpiper>) on Monday, with potential ransomware attacks in the mix. \u201cBy compromising a Nexus station, an attacker can leverage it for reconnaissance purposes, including harvesting data from the station, such as RFID credentials of any employee that uses the PTS system, details about each station\u2019s functions or location, as well as gain an understanding of the physical layout of the PTS network,\u201d Armis said in a release. \u201cFrom there, an attacker can take over all Nexus stations in the tube network, and hold them hostage in a sophisticated ransomware attack.\u201d\n\nThe Translogic PTS system, used by more than 3,000 hospitals worldwide, is the pneumatic version of a hospital\u2019s veins, arteries and capillaries: The tubes deliver medications, blood, and lab samples throughout a hospital. Modern PTS systems are IP-connected, which enables them to offer advanced features. But in spite of their prevalence, these systems\u2019 security \u201chas never been thoroughly analyzed or researched,\u201d Armis asserted.\n\nArmis\u2019 statement quoted Nadir Izrael, co-founder and CTO at Armis: \u201cThis research sheds light on systems that are hidden in plain sight but are nevertheless a crucial building block to modern-day healthcare.\u201dUnderstanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments.\u201d\n\nWere an attacker to take over this tube network, the result could include denial-of-service (DoS), sophisticated ransomware or full blown meddler-in-the-middle (MiTM) attacks that could kneecap a targeted hospital\u2019s critical inner workings.\n\n## Attack Scenario\n\nAs an example of how these bugs could lead to compromise up to and including ransomware, Armis outlined a scenario in which an attacker gains access to low-grade internet-of-things (IoT) device to get into a hospital\u2019s network, such as an IP camera that\u2019s connected to the internet. \n\nFrom there, they can gain access to the hospital\u2019s internal networks and target the Translogic PTS systems, which are also connected to the hospital\u2019s internal networks. After that, five of the PipedPiper bugs can be used to achieve RCE. \n\nThe attacker can continue by exploiting one of the bugs to compromise a Nexus station. An intruder could then harvest logins from the station, such as the RFID credentials of any staffer who uses the PTS system, details about the system and the layout of the PTS network. \n\nMoving laterally, the attacker could then compromise all Nexus stations, be they at the hospital\u2019s blood bank, its pharmacy or its lab, for example. The attacker could then trap medical items in the tubes, shutting down the stations one by one and posting ransomware notes on the stations\u2019 displays. \n\n\u201cIn this volatile state, the hospital\u2019s operations can be severely derailed,\u201d Armis detailed. \u201cMedications supplied to departments, timely delivery of lab samples, and even blood units supplied to operating rooms all depending on constant availability of the PTS.\u201d\n\nArmis doesn\u2019t know of any active exploits, and eight of the nine bugs have been fixed.\n\n## The Trouble That Advanced Features Present\n\nTranslogic PTS system is an advanced system in that it integrates with other hospital systems. While integration presents multiple benefits, such as staff authentication via RFID, it also means that information shared between systems could be leaked or manipulated by an attacker in the case of a system compromise.\n\nArmis gave some examples of what problems a PTS compromise could look like:\n\n 1. The PTS system integrates with Swisslogic\u2019s WhoTube card access system, which allows staff to use RFID cards to authenticate, limits access to PTS stations, and allows the use of Secure Transfers, in which carriers are released to a certain individual only when they present their RFID card and/or password. \u201cWhile these types of advanced features enhance the physical security of the system, they also expose staff records and their RFID credentials to potential attackers, if the PTS system were to be compromised,\u201d researchers explained.\n 2. The PTS system controls the speed of items flowing through the tubes. It can speed up the shipment of urgent items or can slow down the transfer of items that need to be handled with kid gloves. Blood products, for example, can be damaged if they\u2019re jostled within the tubes. Attackers could either damage sensitive products such as blood by speeding up the transmission, or they could delay delivery on critical items that are needed ASAP.\n 3. The PTS system offers an alert messaging solution that may integrate with the hospital\u2019s communication solutions, enabling the notification and tracking of delivered carriers, and alerting the PTS system\u2019s maintenance crew to any faults in the system. Abusing these communications can interfere with the hospital\u2019s workflows.\n\n## Unclogging the Arteries\n\nAll of the bugs are patched except one that affects legacy systems. Swisslog said that older station models that are IP-connected (such as the IQ station) share code with the Nexus Control Panel, and are thus likely to be affected by some of these vulnerabilities. Swisslog no longer supports older stations and won\u2019t be releasing a patch for them, according to Armis.\n\nThe new, patched version of Nexus Control Panel \u2013 version 7.2.5.7 \u2013 mitigates the majority of the vulnerabilities. One remaining vulnerability, CVE-2021-37160, is due to be patched in a future release.\n\nArmis discovered the bugs on May 1 and has since been working with Swisslog to understand their impact, to develop and test a patch, and to develop mitigation steps. Swisslog released a [security advisory](<https://www.swisslog-healthcare.com/en-us/customer-care/security-information/cve-disclosures>) today, Tuesday, that details these flaws:\n\nVulnerability Name | Affected Component | CVE# | Date \n---|---|---|--- \n[**Underflow in udpRXThread**](<https://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37161-bulletin---underflow-in-udprxthread.pdf?rev=9395dad86d0b4811ae4a9e37f0568c2e&hash=3D8571C7A3DCC8B7D8DCB89C2DA4BB8D>) | HMI3 Control Panel in: \n\nNexus Panel\n\n| CVE-2021-37161 | 02/08/2021 \n[**Overflow in sccProcessMsg**](<https://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37162-bulletin---overflow-in-sccprocessmsg.pdf?rev=55a2a1d76199435688a8479970fc54bf&hash=4FDAB2F0EB319F0B773500669D67F3AD>) | HMI3 Control Panel in: \n\nNexus Panel\n\n| CVE-2021-37162 | 02/08/2021 \n[**Overflow in hmiProcessMsg**](<https://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37165-bulletin---overflow-in-hmiprocessmsg.pdf?rev=2e2678dab62b41ba999cd6d1e03974ca&hash=F465ACE2C7FAED826B52FE996E36ACEC>) | HMI3 Control Panel in: \n\nNexus Panel\n\n| CVE-2021-37165 | 02/08/2021 \n**[Off-by-three stack overflow in tcpTxThread](<https://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37164-bulletin---off-by-three-stack-overflow-in-tcptxthread.pdf?rev=daf615075c71484c8059c906872a51e6&hash=1FCC1A5D921E231D71E6B95A9AA8B741>)** | HMI3 Control Panel in: \n\nNexus Panel\n\n| CVE-2021-37164 | 02/08/2021 \n[**GUI socket Denial Of Service**](<https://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37166-bulletin---gui-socket-denial-of-service.pdf?rev=05321b2af1064eb2a6d6e6bf77604c6b&hash=40A927FE1153AA980428C93B2EF7EB40>) | HMI3 Control Panel in: \n\nNexus Panel\n\n| CVE-2021-37166 | 02/08/2021 \n**[No firmware update validation](<https://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37160-bulletin---no-firmware-update-validation.pdf?rev=c7f94647037c4007992e2e626d445561&hash=E89531490070A809FB74994018BA1248>)** | HMI3 Control Panel in: \n\nNexus Panel\n\n| CVE-2021-37160 | 02/08/2021 \n[**Default credentials for the telnet server**](<https://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37163-bulletin---default-credentials-for-the-telnet-server.pdf?rev=da64c389a475494985b9fd2c2c508542&hash=466A7109AF08EBFF3756B2C25968ED5E>) | HMI3 Control Panel in: \n\nNexus Panel\n\n| CVE-2021-37163 | 02/08/2021 \n[**Privilege escalation**](<https://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37167-bulletin---privilege-escalation.pdf?rev=20c909e5f00048838620b52471f266fc&hash=F43731C7A882EEBB5CE28DFBC75933D3>) | HMI3 Control Panel in: \n\nNexus Panel\n\n| CVE-2021-37167 | 02/08/2021 \n \n## Cue The Legacy System Upgrading Nightmare\n\nArmis Strategic Product Director Sumit Sehgal joined Threatpost podcast on Tuesday for a deep dive into the PwnedPiper bugs and how this problem goes far beyond the pneumatic tubes. In fact, in spite of the fact that there are multiple flavors of Swisslogic Translogic PTS, they\u2019re all running a deprecated version of Linux that can essentially give an attacker \u201cunfettered access through root\u201d that could enable them \u201cto fully control that Linux environment within the control within the control panel,\u201d he said.\n\nThe flaws in the control panel control system allows attackers to not only mess with the functioning of the pneumatic tube system, but it\u2019s also at the very heart of other hospital systems. That makes the Swisslogic PTS \u201cA potential unprotected and malicious endpoint in the environment of the healthcare IT health system,\u201d Sehgal said.\n\nGood luck to the healthcare organizations who\u2019ll be dealing with these critical patches and to those running legacy systems, for whom patching is a nightmare scenario of untangling system dependencies.\n\nFor Seghal\u2019s advice on how to prioritize, you can [download the podcast here](<http://traffic.libsyn.com/digitalunderground/080221_Armis_Sumit_Senghal_mixdown.mp3>), listen to the episode below, or scroll down to read a lightly edited transcript.\n\nAs well, Armis\u2019 mitigations are below.\n\n## Mitigations in the Meantime\n\nPatching vulnerable Translogic PTS stations is \u201cessential,\u201d Armis researchers emphasized, but for those hospitals that can\u2019t exactly spin on a dime, they offered these mitigations to detect and prevent attacks:\n\n 1. Block any use of Telnet (port 23) on the Translogic PTS stations (the Telnet service is not required in production)\n 2. Deploy access control lists (ACLs), in which Translogic PTS components (stations, blowerd, diverters, etc.) are only allowed to communicate with the Translogic central server (SCC).\n 3. Use the following Snort IDS rule to detect exploitation attempts of CVE-2021-37161, CVE-2021-37162 and CVE-2021-37165: \nalert udp any any -> any 12345 (msg:\u201dPROTOCOL-OTHER Pwned piper exploitation attempt, Too small and malformed Translogic packet\u201d; dsize:<21; content:\u201dTLPU\u201d; depth:4; content:\u201d|00 00 00 01|\u201d; distance:4; within:4; reference:cve,2021-37161; reference:url,https://www.armis.com/pwnedPiper; sid:9800002; rev:1;)\n 4. Use the following Snort IDS rule to detect exploitation attempts of CVE-2021-37164: \nalert udp any any -> any 12345 (msg:\u201dPROTOCOL-OTHER Pwned piper exploitation attempt, Too large and malformed Translogic packet\u201d;dsize:>350; content:\u201dTLPU\u201d; depth:4; reference:cve,2021-37164; reference:url,https://www.armis.com/pwnedPiper; sid:9800001;)\n\nOutside of that, good practice includes hardening the access to sensitive systems such as PTS solutions through the use of network segmentation, as is limiting access to such devices through strict firewall rules, researchers advised.\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n\n## Lightly Edited Transcript\n\n**Lisa Vaas: ** Hi, and welcome to the Threatpost podcast. Today we\u2019re joined by Armis Strategic Product Director Sumit Sehgal.\n\nHe\u2019s the healthcare pro at Armis, which is an industrial controls cybersecurity outfit. He\u2019s also the former CISO of Boston Medical. We\u2019re really pleased to get him on the show to talk about serious vulnerabilities discovered in pneumatic tube systems.\n\nSumit could you please give us a quick overview of the PwnedPiper vulnerabilities and how they can be used against hospitals?\n\n**Sumit Sehgal: **Absolutely. Thank you for having me. The focus of this research was looking at control systems that healthcare organizations, specifically hospitals utilize as a foundational element of providing care.\n\nAnd the Swisslog pneumatic tube system is a critical part of that ecosystem of delivery of care, because it\u2019s largely prevalent in a big piece of the healthcare environment in the U.S. As well as globally. Secondly, it\u2019s been around for more than 30, I would say 20, 30 years at the very minimum.\n\nRight? So where we focused on was the elements of what a pneumatic tube system does in a healthcare environment, which in this case is move, essentially things like lab samples, blood samples, medications from Point A to point B where they\u2019re needed in high urgency scenarios, as well as there is components of the Swisslog.\n\nPneumatic tube systems that are used for messaging delivery with systems like nurse call management solutions or clinical quality management solutions as well, that look at how care\u2019s being delivered. So what we did in our research is we went through and looked at the control systems, which in this case are called the Nexus control panels that are part of these systems.\n\nNow, one thing to know is. This is not just one type of systems Swisslog pneumatic tube systems come in many different shapes and flavors and different healthcare organizations run different versions of those. But in general, they all use the same standardized hardware behind the scenes. The summary off the PwnedPiper vulnerabilities is that we discovered 9 vulnerabilities that all have been identified through CVE numbers. That\u2019s visible on our website. High-level summary of those are there\u2019s two vulnerabilities that deal with hard-coded passwords for user and root accounts that can be accessed through unsecured Telnet servers.\n\nThere\u2019s a privilege escalation vulnerability that can, again, leverage hard-coded credentials to get root access, and then there\u2019s memory corruption vulnerabilities that exist in the TLP 20 protocol. That\u2019s utilized by the pneumatic tube system to process either priority for the transfer of a canister from Point A to point B or in making sure that the canisters from point A to point B reached the correct destination, then they don\u2019t get rerouted or stop in the process. The last ones that we saw were denial of service and then a design flaw that deals with former upgrades on the control panel, which in this case are unencrypted and unauthenticated, which may be an avenue for an attacker to potentially either interrupt the former update procedure or do remote code execution on that.\n\n**Lisa Vaas: **Great. And at this point you don\u2019t know of any active exploits.\n\n**Sumit Sehgal: **that we are aware of. Correct.\n\n**Lisa Vaas: **But the worst of these could lead to a ransomware attack?\n\n**Sumit Sehgal: **Yes. The reason I say that is most of the control panel software behind the scenes runs a deprecated version of Linux behind the scenes and essentially giving somebody unfettered access through root allows them to fully control that Linux environment within the control within the control panel.\n\nSo the control system in the control panel, that allows them to not only mess with the functioning of the pneumatic tube system, but it also functions at that point As a potential unprotected and malicious endpoint in the environment of the healthcare IT health system.\n\n**Lisa Vaas: **And this could lead to persistence as well?\n\n**Sumit Sehgal: **Yes, because of this persistence, not only within the control system, but because it has that for connectivity and it\u2019s unknown and it\u2019s at that point fully, essentially to fully own from an access and network topology perspective. There are other reconnaissance downstream and upstream that can be done.\n\nSince you have access to the full Linux distro and the, the attacker can upload additional tools.\n\n**Lisa Vaas: **That\u2019s bad. So the patch only covers eight out of the nine vulnerabilities, the patch that was released today Tuesday morning? So there\u2019s still an issue for legacy systems, which are not going to get a patch.\n\nCan we talk about that? How complicated it is that whole ecosystem?\n\n**Sumit Sehgal: ** It is important for healthcare organizations to understand the criticality of the workflows that are affected by the pneumatic tube solution in their environment and they should be leveraging not just in time scans, but a real time vulnerability management process that allows them to bring together the findings that they receive from a security perspective and really help them articulate how do those security vulnerabilities impact the clinical risk side? That second part is very, very important because that is what they need to prioritize, how they deal with this. For not only the, the ninth one that hasn\u2019t been patched, but like you said, for legacy. Other legacy ecosystem parts that may be in their environment.\n\nPneumatic tubes is just one part of it. A healthcare organization should not forget about things like water control systems, water control systems are essential. Part of things like irrigation during surgeries.\n\nIf you don\u2019t have proper water, you can\u2019t do procedures. Same thing with gas and suction. Oxygen is a critical component of care. Same thing with elevator control systems. You can\u2019t move patients. If you have a 30-floor building that you\u2019re doing care in, right. If the elevator\u2019s out.\n\nSo those are examples of the industrial control system that are leveraged in healthcare organizations that serve as the bedrock on top of which the medical devices function appropriately to be able to provide care. So there\u2019s legacy that you have to deal with from a syslog perspective, there\u2019s legacy from an ecosystem of industrial control system and OT operating technologies that healthcare physicians have.\n\nAnd then there\u2019s legacy in the medical device ecosystem state that folks need to also understand that help understand the whole ecosystem of what roles these devices play and how information flows through them as it\u2019s going upstream and downstream in the path of a patient journey.\n\n**Lisa Vaas: **We take so much of this for granted. Whenever it comes to industrial control systems, I\u2019m always just caught off guard somehow. Oh, yeah, there there\u2019s that too. Like the elevators and the water irrigation and surgery. Thank you for painting that vivid picture of what\u2019s at stake here. And it\u2019s a different scenario when it comes to prioritization, depending on what kind of hospital you\u2019re talking about, right?\n\n**Sumit Sehgal: **There is. Depending upon the scope, like every industry, this complexity where practices and healthcare specific specifically in hospitals go back 40, 50 years.\n\nI give the example of. Number one, there\u2019s a difference of scale. So a large academic medical center that has 150,000 visits going on in the E.R. Is going to function differently from a priority perspective, with one that only has 20,000 visits going on in a year, right. They may have different kinds of patients.\n\nThey may be focused on different areas of the different specialties of making the revenue targets to maintain operations. So when I talk about prioritizing, it\u2019s very important to match information, security, vulnerability, and risk output to clinical safety and clinical quality.\n\nThat\u2019s what that process does, is it helps you identify for the health system you\u2019re in, in the market that you\u2019re in and for the patient mix that you\u2019re treating. With the appropriate specialty, where should you focus in on? Because when you\u2019re dealing with something like this and the ecosystem in general, it can be overwhelming for any size of health decision to deal with this quickly at scale, it just doesn\u2019t work, especially when these are environments, these ecosystems have been around for 20, 30 years. Right? So, so there\u2019s a process that needs to happen. There\u2019s obviously change management that needs to be done appropriately. So, so we are not introducing additional potential patient safety problems by fixing. Issues as well.\n\n**Lisa Vaas: **Yeah, that would be bad.\n\nWell, we wish the best of luck to the healthcare organizations that are dealing with this. Godspeed in getting the patches installed. And thank you so much to Armis. You guys really keep an eye on industrial controls, security, and we\u2019re always interested in the stuff that you do.\n\nSo thank you for this.\n\n**Sumit Sehgal: **Yeah, industrial controls and healthcare stuff as well.\n\n**Lisa Vaas: **Healthcare of course, and every place where those intersect, which is a lot of places. Well, great. Thank you so much, Sumit. I really appreciate you coming today.\n\n**Sumit Sehgal: **Absolutely. Thank you for the opportunity.\n", "cvss3": {}, "published": "2021-08-02T20:58:54", "type": "threatpost", "title": "\u2018PwnedPiper\u2019: Devastating Bugs in >80% of Hospital Pneumatics", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-37160", "CVE-2021-37161", "CVE-2021-37162", "CVE-2021-37163", "CVE-2021-37164", "CVE-2021-37165", "CVE-2021-37166", "CVE-2021-37167"], "modified": "2021-08-02T20:58:54", "id": "THREATPOST:145906567BE4DD61E07423F771D56785", "href": "https://threatpost.com/pwnedpiper-bugs-hospital-pneumatics/168277/", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2022-05-09T12:39:16", "description": "[](<https://thehackernews.com/images/-PbPf7lJ1Ilo/YQfdO4xfg6I/AAAAAAAADas/PnbmC3tKbG0VTY1KUBsVViT2rt3oNO3LACLcBGAsYHQ/s0/hacking-code.jpg>)\n\nCybersecurity researchers on Monday disclosed a set of nine vulnerabilities known as \"[PwnedPiper](<https://www.armis.com/research/pwnedpiper>)\" that left a widely-used pneumatic tube system (PTS) vulnerable to critical attacks, including a possibility of complete takeover.\n\nThe security weaknesses, disclosed by American cybersecurity firm Armis, impact the Translogic PTS system by Swisslog Healthcare, which is installed in about 80% of all major hospitals in North America and in no fewer than 3,000 hospitals worldwide.\n\n\"These vulnerabilities can enable an unauthenticated attacker to take over Translogic PTS stations and essentially gain complete control over the PTS network of a target hospital,\" Armis researchers Ben Seri and Barak Hadad said. \"This type of control could enable sophisticated and worrisome ransomware attacks, as well as allow attackers to leak sensitive hospital information.\"\n\nPneumatic tube systems are internal logistics and transport solutions that are used to securely transport blood, tissue, and lab samples in hospital settings to diagnostic laboratories.\n\n[](<https://thehackernews.com/images/-mhOggJD3PZY/YQfdzVO6Q8I/AAAAAAAADa0/OqqedPtmeVoyGEOF8XEJgfNuoFA-043BACLcBGAsYHQ/s0/hacking.jpg>)\n\nSuccessful exploitation of the issues, therefore, could result in leakage of sensitive information, enable an adversary to manipulate data, and even compromise the PTS network to carry out a man-in-the-middle (MitM) attack and deploy ransomware, thereby effectively halting the operations of the hospital.\n\nThe details about the nine PwndPiper vulnerabilities are listed as follows -\n\n * **CVE-2021-37161** \u2013 Underflow in udpRXThread\n * **CVE-2021-37162** \u2013 Overflow in sccProcessMsg\n * **CVE-2021-37163** \u2013 Two hardcoded passwords accessible through the Telnet server\n * **CVE-2021-37164** \u2013 Off-by-three stack overflow in tcpTxThread\n * **CVE-2021-37165** \u2013 Overflow in hmiProcessMsg\n * **CVE-2021-37166** \u2013 GUI socket Denial Of Service\n * **CVE-2021-37167** \u2013 User script run by root can be used for PE\n * **CVE-2021-37160** \u2013 Unauthenticated, unencrypted, unsigned firmware upgrade\n\nIn a nutshell, the flaws \u2014 which concern privilege escalation, memory corruption, and denial-of-service \u2014 could be abused to gain root access, achieve remote-code-execution, or render systems unavailable, and worse, permit an attacker to maintain persistence on compromised PTS stations via an insecure firmware upgrade procedure, leading to unauthenticated remote-code-execution. It's also worth noting that a patch for CVE-2021-37160 is expected to be shipped at a future date.\n\n\"The potential for pneumatic tube stations (where the firmware is deployed) to be compromised is dependent on a bad actor who has access to the facility's information technology network and who could cause additional damage by leveraging these exploits,\" Swisslog Healthcare [said](<https://www.swisslog-healthcare.com/en-us/company/news/2021/07/translogic-firmware-vulnerabilities>) in an independent advisory published today.\n\nTranslogic PTS system customers are highly recommended to update to the latest firmware (Nexus Control Panel version 7.2.5.7) to mitigate any potential risk that may arise out of real-world exploitation of the shortcomings.\n\n\"This research sheds light on systems that are hidden in plain sight but are nevertheless a crucial building block to modern-day healthcare,\" Seri and Hadad said. \"Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-02T12:03:00", "type": "thn", "title": "PwnedPiper PTS Security Flaws Threaten 80% of Hospitals in the U.S.", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37160", "CVE-2021-37161", "CVE-2021-37162", "CVE-2021-37163", "CVE-2021-37164", "CVE-2021-37165", "CVE-2021-37166", "CVE-2021-37167"], "modified": "2021-08-12T13:04:24", "id": "THN:47EF03B4F642B827963627D742199F3E", "href": "https://thehackernews.com/2021/08/pwnedpiper-pts-security-flaws-threaten.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-12-06T15:53:41", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n * **ATTENTION: **Exploitable remotely/low attack complexity\n * **Vendor:** Swisslog Healthcare\n * **Equipment:** Translogic PTS (Pneumatic Tube Systems)\n * **Vulnerabilities:** Use of Hard-coded Password, Execution with Unnecessary Privileges, Improper Authentication, Download of Code without Integrity Check, Out-of-Bounds Write\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to gain control of the device, escalate privileges, or execute arbitrary code.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nSwisslog Healthcare reports the vulnerabilities affect the following Translogic Pneumatic Tube Systems: \n\n * Nexus Control Panel, versions prior to 7.2.5.7\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [USE OF HARD-CODED PASSWORD CWE-259](<https://cwe.mitre.org/data/definitions/259.html>)\n\nUser and root accounts have hardcoded passwords that can be accessed remotely on the Nexus Control Panel. These accounts are enabled by default and cannot be turned off by native configuration of the system.\n\n[CVE-2021-37163](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37163>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.2 [EXECUTION WITH UNNECESSARY PRIVILEGES CWE-250](<https://cwe.mitre.org/data/definitions/250.html>)\n\nA user logged in using the default credentials can gain root access to the device, which allows permissions for all the functionalities of the device.\n\n[CVE-2021-37167](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37167>) has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.3 [INTEGER UNDERFLOW CWE-191](<https://cwe.mitre.org/data/definitions/191.html>)\n\nA buffer overflow allows an attacker to overwrite an internal queue data structure, which could allow remote code execution.\n\n[CVE-2021-37161](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37161>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.4 [INTEGER UNDERFLOW CWE-191](<https://cwe.mitre.org/data/definitions/191.html>)\n\nA buffer overflow allows an attacker to overwrite an internal queue data structure, which could allow remote code execution.\n\n[CVE-2021-37162](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37162>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.5 [INTEGER UNDERFLOW CWE-191](<https://cwe.mitre.org/data/definitions/191.html>)\n\nA specially crafted message to the HMI may cause an overflow, which could allow remote code execution.\n\n[CVE-2021-37165](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37165>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.6 [OUT-OF-BOUNDS WRITE CWE-787](<https://cwe.mitre.org/data/definitions/787.html>)\n\nReceived data can be copied to a stack buffer, resulting in an overflow.\n\n[CVE-2021-37164](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37164>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.7 [IMPROPER AUTHENTICATION CWE-287](<https://cwe.mitre.org/data/definitions/287.html>)\n\nThe method used to bind a local service to ports on device interfaces may allow the connection to be hijacked by an external attacker.\n\n[CVE-2021-37166](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37166>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.8 [DOWNLOAD OF CODE WITHOUT INTEGRITY CHECK CWE-494](<https://cwe.mitre.org/data/definitions/494.html>)\n\nThere is no file validation during an upload for an update. \n\n[CVE-2021-37160](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37160>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Healthcare\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **United States\n\n### 3.4 RESEARCHER\n\nBarak Hadad and Ben Seri from Armis reported these vulnerabilities to Swisslog.\n\n## 4\\. MITIGATIONS\n\nSwisslog Healthcare recommends upgrading to the latest software version as soon as it becomes available. Version 7.2.5.7 is reported to fix all vulnerabilities above except [CVE-2021-37160](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37160>). Use the latest version together with mitigation methods below to protect against exploitation of all the listed vulnerabilities. \nSwisslog also recommends the following mitigation methods until updated software is deployed:\n\n * Network firewalls that restrict inter-VLAN traffic on the network must allow inbound and outbound internal network connections for the ports listed in \u201cWindows firewalls.\u201d Do not restrict these ports to specific applications.\n * If there is no firewall between the SCC and the floor devices, apply an extended access control list (ACL) in the Layer 3 VLAN that is dedicated to the PTS floor equipment. Both inbound and outbound access lists are required between the SCC server and floor equipment, allowing the use of the TCP and UDP ports listed.\n * Employ an IDS (intrusion detection system) such as SNORT to detect exploitation attempts.\n\nArmis recommends the following practices to identify and block attempts to exploit these issues.\n\n * Block any use of Telnet (Port 23) on the Translogic PTS stations. The Telnet service is not required in production.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Ensure the least-privilege user principle is followed.\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nCISA also recommends users take the following measures to protect themselves from social engineering attacks: \n\n * Do not click web links or open unsolicited attachments in email messages. \n * Refer to [Recognizing and Avoiding Email Scams](<https://us-cert.cisa.gov/sites/default/files/publications/emailscams_0905.pdf>) for more information on avoiding email scams. \n * Refer to [Avoiding Social Engineering and Phishing Attacks](<https://us-cert.cisa.gov/ncas/tips/ST04-014>) for more information on social engineering attacks.\n\nNo known public exploits specifically target these vulnerabilities. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-03T12:00:00", "type": "ics", "title": "Swisslog Healthcare Translogic PTS", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37160", "CVE-2021-37161", "CVE-2021-37162", "CVE-2021-37163", "CVE-2021-37164", "CVE-2021-37165", "CVE-2021-37166", "CVE-2021-37167"], "modified": "2021-08-03T12:00:00", "id": "ICSMA-21-215-01", "href": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-215-01", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2021-37161
