URGENT/11 Cybersecurity Vulnerabilities in Medical Devices Prompt FDA Warning

Security researchers at Armis have identified 11 vulnerabilities in the Interpeak IPnet TCP/IP Stack, a third-party software component used in hospital networks and certain medical devices.

The vulnerabilities were reported to the DHS Cybersecurity and Infrastructure Security Agency (CISA) prompting an ICS Medical Advisory and a Food and Drug Administration (FDA) Safety Communication warning patients, healthcare providers, facility staff and manufacturers about the flaws.

The FDA alert – named URGENT/11 – explains that the vulnerabilities could be remotely exploited by a threat actor allowing full control to be taken of a vulnerable medical device. An attacker could change the functions of the device, access sensitive information, cause logical flaws or denial of service attack that could stop the device from working.

While there have been no reports of the flaws being exploited in the wild, the FDA warns that the software required to exploit the flaws is publicly available.

Interpeak IPnet TCP/IP Stack supports network communications between computers, and while it is no longer supported by the original developer, some device manufactures are licensed to use the component in their software applications, systems, and equipment without support.

The FDA warns that the vulnerable component is in use in some versions of the following operating systems:

  • VxWorks (by Wind River)
  • Operating System Embedded (OSE) (by ENEA)
  • INTEGRITY (by Green Hills)
  • ThreadX (by Microsoft)
  • ITRON (by TRON Forum)
  • ZebOS (by IP Infusion)

Certain Beckton Dickinson (BD), Drager, GE Healthcare, Philips Healthcare, and Spacelabs products are also affected by the flaws. Each of those companies has released security advisories about the affected products.

WindRiver holds the license for IPnet and has released patches to mitigate the vulnerabilities. If it is not possible to upgrade to the latest version of the OSE, other mitigating controls can be implemented to reduce the risk of exploitation. WindRiver should be contacted for details of possible compensating controls.

The flaws are detailed in the ICS-CERT Medical Advisory (ICSMA-19-274-01). The FDA has released recommendations for device manufacturers, healthcare providers, healthcare facility staff, patients and caregivers, which can be viewed on this link.

Healthcare providers have been advised to work with their device manufacturers to determine which devices are vulnerable and find out about the steps that need to be taken to secure the devices. They have also been advised to inform patients using vulnerable devices to immediately report any suspected operational or functional changes to their medical devices.

9 of the vulnerabilities are classed as high severity with a CVSS v3 score of between 7.0 and 10, three of which have a score of 9.8. In order of severity, the CVE numbers are: CVE-2019-12256, CVE-2019-12255, CVE-2019-12260, CVE-2019-12257, CVE-2019-12261, CVE-2019-12263, CVE-2019-12258, CVE-2019-12259, CVE-2019-12262, CVE-2019-12264, and CVE-2019-12265.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.