Warning Issued Over Vulnerabilities in Siemens PET/CT Scanners: Exploits Publicly Available

Warnings have been issued about four vulnerabilities in Siemens PET/CT scanner systems. Siemens is currently developing patches to address the vulnerabilities.  Exploits for the vulnerabilities are already publicly available.

The flaws affect multiple Siemens medical imaging systems including Siemens CT, PET, SPECT systems and medical imaging workflow systems (SPECT Workplaces/Symbia.net) that are based on Windows 7.

The vulnerabilities allow remote code execution, potentially giving attackers access to the scanners and networks to which the systems are connected. One of the main risks is malware and ransomware infections, which in the case of the latter can prevent the devices from being used. It is also possible that a malicious actor could interfere with the systems causing patients harm.

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has also issued an alert, warning healthcare organizations to ensure the devices are run on a “dedicated, network segment and protected IT environment” until the patches are applied. Siemens rated the flaws as highly critical, giving them a CVSS score of 9.8 out of 10 and suggests the devices should be run in standalone mode until the patches are applied.

To protect the systems from attack, healthcare organizations should ensure the systems are not be accessible over the Internet and are isolated from other networks and located behind firewalls.

If remote access is required, Virtual Private Networks (VPNs) should be used, although the use of VPNs is not without risks. Many VPNs also have vulnerabilities that could be remotely exploited. ICS-CERT says if remote access is unavoidable, the latest versions of VPNs should be used.

One of the vulnerabilities concerns improper restriction of operations within the bounds of a memory buffer, two are code injection vulnerabilities with one exploiting permissions, privileges and access controls. All the vulnerabilities are remotely exploitable.  The code injection vulnerabilities can be exploited by sending a specially crafted HTTP request to over port 80 and 443 to the Microsoft IIS webserver. The remaining two vulnerabilities could be exploited by sending a specially crafted request to the HP Client automation service.

ICS-CERT says exploiting the vulnerabilities would only require a low skill level.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.