Critical Vulnerability Identified in Fujifilm Computed Radiography Cassette Readers

Two vulnerabilities have been identified in Fujifilm computed radiography cassette readers. If exploited, an attacker could gain access to the operating system, execute arbitrary code, render the devices inoperable, alter functionality, and cause image loss.

The vulnerabilities are present in the following Fujifilm computed radiography cassette readers:

  • CR-IR 357 FCR Capsula X
  • CR-IR 357 FCR Carbon X
  • CR-IR 357 FCR XC-2

The most serious vulnerability – CVE-2019-10950 – is due to improper access controls on telnet services. A remote attacker with a relatively low level of skill could exploit the vulnerability to gain access to the operating system and remotely execute code and affect the functionality of the device. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10.

The second vulnerability – CVE-2019-10948 – is due to uncontrolled resource consumption. An overflow of TCP packets could be caused in a denial of service (DoS) attack. If exploited, a DoS attack could render the device in operable and would require a reboot to restore functionality. The vulnerability has been assigned a CVSS v3 base score of 7.5.

The vulnerabilities were identified by Marc Ruef and Rocco Gagliardi of Scip AG.

To prevent exploitation of the vulnerabilities, users can configure the CR-IR-357 system with ‘Secure Host functionality.’ This configuration instructs the CR-IR-357 system to ignore network traffic other than from the IP address of the image acquisition console.

This mitigation will only be an option for users that have one image acquisition console using the CR-IR-357 Reader Unit. With this configuration activated, multiple image acquisition consoles cannot share the Reader Unit as network traffic will only be accepted from a single IP address. If Reader Unit sharing has been implemented, Fujifilm should be contacted for further information on other possible mitigations.

Users should also ensure that appropriate administrative and technical controls are implemented to prevent unauthorized devices and users from connecting to the network. Fujifilm also recommends segmenting the network or using a VLAN to segregate public traffic from the private network.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.