Okay, I checked the calendar, it is May 1st not April 1st; the only thing I can think of is that someone spiked the water cooler at ICS-CERT HQ with some REALLY good drugs. Today they issued an advisory for multiple vulnerabilities in the AMTELCO miSecure Message (MSM) medical messaging system. No, this is not about communications with medical devices; that would be pretty close to control systems. This is the systems used to relay messages to doctors via cell phones and blackberries. And it’s not even HeartBleed.
The vulnerabilities were discovered by Jared Bird of Allina Health and were coordinated with CERT/CC (Carnegie-Mellon CERT). Great, this is where this advisory belongs. It was published there on April 11th and updated on April 18th. So why was it published on the ICS-CERT site? I don’t know; drug testing should seriously be considered.
Okay, I will give ICS-CERT some minor credit. The miscellaneous mitigation verbiage at the end of the advisory was actually changed to sort of reflect the actual use of this system and the environment in which it is used. There is no reference to isolating the system from the internet or using VPN for remote access. Too bad they can’t always remember to change those standard recommendations when they are not appropriate to actual control system vulnerabilities.