Vulnerabilities Identified in PeerVue Web Server, Carestream Vue RIS and Siemens Healthcare Products
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued five advisories in the past week about vulnerabilities discovered in equipment used by healthcare organizations in the United States.
Change Healthcare PeerVue Web Server
A vulnerability (CVE-2018-10624) has been identified in the Change Healthcare PeerVue Web Server which could allow an attacker to gain information about the web server that would enable it to be targeted in a cyberattack. The vulnerability only requires a low level of skill to exploit by an attacker on an adjacent network. The vulnerability exposes information through an error message.
The flaw was discovered by security researcher Dan Regalado of Zingbox and has been assigned a CVSS v3 base score of 4.3.
Change Healthcare took rapid action to address the vulnerability and a patch has now been issued. Users should contact Change Healthcare if they are running PeerVue Web Server 7.6.2 or earlier for information about installing the patch.
Carestream Vue RIS
A remotely exploitable vulnerability (CVE-2018-17891) has been discovered in the CareStream Vue RIS web-based radiology system which, if exploited, would allow an attacker with access to the network to passively read traffic.
Carestream has confirmed that the vulnerability affects version 11.2 of RIS Client Builds and earlier versions, which are running on Windows 8.1 machines with IIS/7.5.
The vulnerability would allow an attacker to gain access to information through an HTTP 500 error message that is triggered when contacting a Carestream server when there is no Oracle TNS listener available. The information that is exposed could be used to initiate a more elaborate attack.
The vulnerability, which was also identified by Dan Regalado of Zingbox, has been assigned a CVSS v3 base score of 3.7.
Carestream has resolved the vulnerability in the current version of its software (v11.3). Users unable to upgrade immediately should disable “Show debug messages” and enable SSL for client/server communications.
Siemens SCALANCE W1750D
Siemens has discovered a vulnerability (CVE-2018-13099) in version 184.108.40.206 and earlier versions of its SCALANCE W1750D WLAN access point which could allow an attacker to decrypt TLS traffic. ICS-CERT notes that there are already public exploits available for the vulnerability.
To exploit the vulnerability, the attacker would require network access to a vulnerable device. By observing TLS traffic between a legitimate user and a device it would be possible for the attacker to decrypt TLS traffic.
The vulnerability has been assigned a CVSS v3 base score of 5.9.
Siemens has corrected the flaw with a firmware upgrade and all users are advised to upgrade to v220.127.116.11 as soon as possible. Siemens recommends that administrators restrict access to the web interface of affected devices until the firmware upgrade is applied, and to only operate the devices in a protected IT environment.
Siemens ROX II
Siemens has discovered two improper privilege management vulnerabilities affecting all versions of its ROX II products prior to v2.12.1. The vulnerabilities can be exploited remotely and only require a low level of skill.
Siemens reports that an attacker with access to Port 22/TCP with valid low-privileged user credentials for the device could exploit a vulnerability (CVE-2018-13801) to escalate privileges and gain root access to the device. The vulnerability has been assigned a CVSS v3 base score of 8.8.
An authenticated individual with high-privileged user account access via SSH interface in on Port 22/TCP could bypass restrictions and execute arbitrary operating system commands. This vulnerability (CVE-2018-13802) has been assigned a CVSS v3 base score of 7.2.
Both vulnerabilities have been corrected in v2.12.1 of the software and users have been advised to upgrade as soon as possible. In the meantime, network access to Port 22/TCP should be restricted, if possible.
Siemens SIMATIC S7-1200 CPU Family Version
A remotely exploitable vulnerability (CVE-2018-13800) has been identified in all versions prior to 4.2.3 of SIMATIC S7-1200 CPU Family Version 4.
The cross-site request forgery vulnerability could be exploited if a legitimate user who has been authenticated to the web interface is fooled into accessing a malicious link – via email for instance. By exploiting the vulnerability, the attacker could read or modify parts of the device configuration.
The vulnerability, identified by Lisa Fournet and Marl Joos from P3 communications GmbH, has been assigned a CVSS v3 base score of 7.5.
Siemens has addressed the vulnerability with a new firmware version and has urged all users to upgrade to v4.2.3 as soon as possible. Until the firmware upgrade has been applied, Siemens recommends that users do not visit other websites while they are authenticated against the PLC.