Tuesday, June 15, 2021

Is something going on with ZOLL Defibrillators?

Okay, this probably does not mean anything, but something odd is going on with the recent advisory about the vulnerabilities in the ZOLL Defibrillator Dashboard. As I reported last week CISA’s NCCIC-ICS published a medical device security advisory describing five vulnerabilities in the Defibrillator Dashboard from ZOLL.

According to the advisory from NCCIC-ICS, ZOLL has new versions available to mitigate the vulnerability. On the surface the only odd thing about the advisory was that the vulnerabilities were reported to CISA by an anonymous researcher. One could speculate about why the researcher wanted to remain anonymous, but at this point it would be just speculation. In any case, NCCIC-ICS reported the vulnerabilities to ZOLL, ZOLL corrected the problems, NCCIC-ICS published the advisory. Nothing unusual here.

Then, yesterday, CISA published an advisory about the same vulnerabilities, pointing at the NCCIC-ICS advisory. No new information, just the point and a recommendation that:

“CISA encourages users and administrators to review the ICS Medical Advisory ICSMA-21-161-01 and apply the recommended mitigations.”

I thought that that was a little bit odd, CISA issuing an advisory pointing at an earlier CISA advisory with no new information, but I did not really start to get curious until I saw the following TWEET® from @ICS-CERT this morning:

“ICYMI

@CISAgov recently released an #ICS Medical Advisory on multiple vulnerabilities in the ZOLL Defibrillator Dashboard. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

#VulnerabilityManagement #OT #IoT #Healthcare”

Obviously, someone at CISA thinks that these vulnerabilities are unusually important. So, maybe there are exploits in the wild? I search both cve.mitre.org and nvd.nist.gov for the six reported CVEs and get nothing; the CVE has been reserved, but no data has been given to either organization yet. This is not really unusual, it may take as much as a week from the time NCCIC-ICS publishes an advisory for the CVE information to make it into the National Vulnerability Database.

Okay, so next I do a Google® search for the ZOLL Defibrillator Dashboard to see if there are any news articles about problems. No problems found there. But I did see almost nine pages of reference to unrelated articles on Homeland Security Today, dating back to January. Why? Because each article currently has the same ‘You Might Be Interested’ text box at the bottom:

“JUNE 14, 2021

CISA Releases Advisory on ZOLL Defibrillator Dashboard

“CISA has released an Industrial Controls Systems (ICS) Medical Advisory on multiple vulnerabilities in the ZOLL Defibrillator Dashboard. A remote…”

That text box refers back to the short article on the site that refers back to yesterday’s CISA advisory. Except that most of those pages no longer have that text box; Homeland Security Today keeps changing what boxes show up on the bottom of their pages to keep people flowing back to their web site. Good internal SEO work.

Oh, nothing on the FDA’s medical device cybersecurity page, but they have not reported on a vulnerability since 2019, so nothing new there (in both ways of looking at that phrase). And nothing on the ZOLL webpages, but lots of companies ignore their cyber vulnerabilities, so nothing too unusual with that.

In any case, I still cannot tell why CISA is so concerned about the ZOLL Defibrillator Dashboard…. If you have one, just update it, please.

No comments:

 
/* Use this with templates/template-twocol.html */