Today the DHS ICS-CERT published two medical control system
security advisories for products from Becton, Dickinson and Company (BD) and an
industrial control system advisory for products from Sielco Sistemi. Both BD
advisories were previously published on the NCCIC Portal on January 17, 2017.
Yesterday ICS-CERT updated their medical control system advisory for products
from St. Jude; that advisory was originally
published on January 9th, 2017.
BD Alaris 8015 Advisory
This advisory
describes twin insufficiently protected credentials vulnerabilities in the BD
Alaris 8015 Point of Care (PC) unit, which provides a common user interface for
programming intravenous infusions. The vulnerabilities were self-reported, but
the BD
Security Bulletin reports that unnamed “independent security researchers”
were involved in finding the vulnerability. The advisory provides multiple compensating
controls that mitigate the vulnerability.
ICS-CERT reports that both vulnerabilities could be
exploited by a relatively unskilled attacker with physical access to the
devices. Both would require access to a flash drive; one installed in the unit
the other one removeable. A successful exploit would allow the attacker access
to the host facility’s wireless network authentication credentials and other
sensitive technical data.
There is no mention of this vulnerability on the FDA
Medical Device Safety Communications page.
BD Alaris 8000 Advisory
This advisory
describes an insufficiently protected credentials vulnerability in the BD
Alaris 8015 Point of Care (PC) unit, which provides a common user interface for
programming intravenous infusions. The only difference in this advisory is that
only an internal flash memory device is involved.
ICS-CERT reports that a relatively low skilled attacker with
physical access to the device could exploit this vulnerability. The BD Security
Bulletin, however, notes:
“Attack complexity is HIGH based on
limited availability of these wireless credentials that are stored in the PCU
on internal flash memory. The attacker would then have to use advanced tools to
read the flash memory, decode the file system, and then locate and read the
credential data. No system privilege is required and an attacker would be able
to read the credential data without a user name or password.”
Sielco Sistemi Advisory
This advisory
describes an uncontrolled search path element vulnerability in the Sielco
Sistemi Winlog SCADA software. The vulnerability was reported by Karn Ganeshen.
Sielco Sistemi has released a new version of the software to mitigate the
vulnerability. There is no indication that Ganeshen has been provided an
opportunity to verify the efficacy of the fix.
ICS-CERT did not comment on the exploitability of this
vulnerability except to note that a successful exploit may allow an attacker to
load a malicious DLL and execute code on the affected system with the same
privileges as the application that loaded the malicious DLL.
St Jude Update
This update
provides new information on:
• The versions of the device that
are affected by the vulnerability; and
• How the various versions of the device may be
affected.
The FDA
Safety Communication about this vulnerability has not been updated with the
new information.
Posts
No comments:
Post a Comment