Share this article on:
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory about remotely exploitable vulnerabilities in the BeaconMedaes TotalAlert Scroll Medical Air Systems web application.
The vulnerabilities are present in TotalAlert Scroll Medical Air Systems running software versions 4107600010.23 and earlier and require a low level of technical skill to exploit.
If successfully exploited, an attacker could view and potentially modify device information and web application setup information, although those modifications would not be sufficient to affect the ability of the device to operate as designed.
BeaconMedaes has stressed that the vulnerabilities cannot be exploited to gain access to patient health information and do not compromise compliance with the NFPA 99 standard for healthcare facilities.
ICS-CERT says two of the vulnerabilities have a CVSS v3 score of 7.5 out of 10 (high) and one has a CVSS v3 score of 5.3 (medium).
The two vulnerabilities rated high are CWE-522 – Insufficiently protected credentials and CWE-256 – Unprotected Storage of Credentials. CWE-522 could be exploited by an attacker with network access to the integrated web server and could allow retrieval of default/user-defined credentials stored and transmitted in an insecure manner. CWE-256 concerns passwords presented in plaintext in a file that can be accessed without authentication.
CWE-284 – Improper access credentials – is rated medium. By accessing a specific URL on the web server, an attacker could access information in the application without authentication.
The vulnerabilities were reported to The National Cybersecurity and Communications Integration Center (NCCIC) by security researcher Maxim Rupp.
NCCIC recommends users take measures to minimize the risk of the flaws being exploited. These include:
- Minimizing network exposure for all control system devices
- Ensuring control system devices are not exposed to the Internet
- Locating control system networks behind firewalls
- Isolating control system networks from the business network
- Using VPNs to connect when remote access is required and ensuring those VPNs are updated and the most current version is used.
BeaconMedaes has assessed the vulnerabilities and has taken steps to address the vulnerabilities. An update has now been released – version 4107600010.24 – that corrects the flaws, which should be implemented as soon as possible.
BeaconMedaes recommends affected users contact the company directly on 1-888-4MEDGAS (463-3427) to obtain the update.
NCCIC recommends that prior to updating software or implementing defensive measures, organizations should perform an impact analysis and risk assessment.