Siemens Healthineers Products Vulnerable to Microsoft BlueKeep Wormable Flaw

Six security advisories have been issued covering Siemens Healthineers products. The flaws have been assigned a CVSS v3 score of 9.8 and concern the recently announced Microsoft BlueKeep RDS flaw – CVE-2019-0708.

CVE-2019-0708 is a remotely exploitable flaw that requires no user interaction to exploit. An attacker could exploit the flaw and gain full control of a vulnerable device by sending specially crafted requests to Remote Desktop Services on a vulnerable device via RDP.

The flaw is wormable and can be exploited to spread malware to all vulnerable devices on a network in a similar fashion to the WannaCry attacks of 2017. The severity of the vulnerability prompted Microsoft to issue patches for all vulnerable operating systems, including unsupported Windows versions which are still used in many healthcare and industrial facilities.

The flaw affects Windows 2003, Windows XP, Windows 7, Windows Server 2008 and Windows Server 2008 R2. If the patch cannot be applied, RDP should be disabled, port 3389 should be blocked at the firewall, and Network Level Authentication (NLA) should be enabled.

Following Microsoft’s announcement about the RDS flaw and the release of the patches, Siemens conducted an investigation to determine which Siemens Healthineers products were affected. 6 classes of product were found to be vulnerable.

The exploitability of the vulnerability on these products will depend on the specific configuration and deployment environment. The vulnerabilities can generally be addressed by applying the Microsoft patch, although compatibility of the patch with any devices beyond end-of-life cannot be guaranteed.

Customers with vulnerable devices can obtain patch and remediation advice from their local Siemens Healthineers customer service engineer, portal, or Regional Support Center.

Siemens Healthineers Software Products

MagicLinkA, MagicView (100W and 300), Medicalis (Clinical Decision Support, Intelligo, Referral Management, and Workflow Orchestrator), Screening Navigator, Syngo (Dynamics, Imaging, Plaza, Workflow MLR, Worlflow SLR, via, via View&Go, and via WebViewer), and Teamplay.

Users should install the Microsoft patch. Risk can be reduced by ensuring a secure deployment in accordance with Siemens recommendations and ensuring AV software is in use and is regularly updated.

Siemens Healthineers Advanced Therapy Products

System Acom, Sensis and VM SIS Virtual Server

Siemens recommends disabling RDP on Acom systems and following Microsoft’s workarounds and mitigations on Sensis and VM SIS Virtual Server until a patch is made available.

Siemens Healthineers Radiation Oncology Products

All versions of Lantis

Siemens recommends disabling RDP and closing TCP port 3389

Siemens Healthineers Laboratory Diagnostics Products

Most Laboratory Diagnostics products are unaffected by the vulnerability.

Vulnerable products are:

Atellica Solution, Apto by Siemens, Aptio by Inpeco, Streamlab, CentraLink, Syngo Lab Process Manager, Viva E, and Viva Twin. Siemens Healthineers will provide customers with further information on the plan and details of activities to improve security.

For the following products, customers should use Microsoft’s workarounds and mitigations until Siemens makes a patch available on June 3, 2019.

Atellica COAG 360 (Windows 7), Atellica NEPH 630 (Windows 7), BCS XP (XP and Windows 7), BN ProSpec (XP and Windows 7),

The patch is currently under investigation for the following products. Microsoft’s workarounds and mitigations should be used in the interim.

CS 2000 (XP and Windows 7), CS 2100 (XP and Windows 7), CS 2500 (Windows 7), and CS 5100 (XP and Windows 7).

Siemens Healthineers Radiography and Mobile X-Ray Products

All versions of the following products with the Canon detector are vulnerable. Customers should contact their Siemens Regional Support Center for advice and, if possible, should block TCP port 3389.

Axiom (Multix M, Vertic MD Trauma, and Solitaire M), MobileTT XP Digital, Multix (Pro ACSS P, Pro P, PRO/PRO ACSS/PRO Navy, Swing, TOP, Top ACSS, and TOP P/TOP ACSS P), and Vertix Solitaire.

Siemens Healthineers Point of Care Diagnostics Products

AUWi, AUWi Pro, Rapid Point 500 (v2.2, 2.2.1, 2.2.2, 2.3, 2.3.1, and 2.3.2)

No immediate action is required as a patch will be made available in June 2019. In the meantime, Microsoft’s workaround and mitigations can be used for interim countermeasures.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.