Yesterday the DHS ICS-CERT published a medical device
security advisory for products from BMC Medical and 3B Medical (one advisory).
They also published a control system security advisory for products from
Advantech
BMC Medical Advisory
This advisory
describes an improper input validation vulnerability in the Luna continuous
positive airway pressure (CPAP) therapy machine produced jointly by BMC Medical
and 3B Medical. The vulnerability was reported by MedSec.
Newer versions (after July 2017) have had the problem corrected; ICS-CERT
reports that the company’s do not plan on providing mitigation measures for ‘older’
(before July 2017) machines.
ICS-CERT reports that a relatively low skilled attacker with
adjacent network access could exploit the vulnerability to cause a crash of the
device’s Wi-Fi module resulting in a denial-of-service condition affecting the
Wi-Fi module chipset. This does not affect the device’s ability to deliver
therapy.
NOTE: Buyers of CPAP devices should take careful note of the
lack of post-production cybersecurity support demonstrated for this brand of
devices.
Advantech Advisory
This advisory
describes a heap-based buffer overflow vulnerability in the Advantech WebOP
operator panels. The vulnerability was reported by Ariele Caltabiano (kimiya)
via the Zero Day Initiative. ICS-CERT reports that Advantech was unable to
verify the validity of this vulnerability. (NOTE: this obviously means that no
mitigation measures appear to be forthcoming.)
ICS-CERT reports that a relatively low skilled attacker with
uncharacterized access could use publicly available exploits to exploit this
vulnerability to cause the target device to crash and may allow arbitrary code
execution.
NOTE: There are a large number of ‘pending’ vulnerability
reports on Advantech products currently listed on the ZDI web site.
Posts
No comments:
Post a Comment