Hospitals across the world using SwiwssLog’s TransLogic Pneumatic Tube System are vulnerable to a set of vulnerabilities termed PwnedPiper. The nine vulnerabilities were found in research conducted by Armis, a connected device security company.
Over 2300 hospitals in North America and more than 3000 units worldwide are impacted by this vulnerability set. Researchers Barak Hadad and Ben Seri explain the issues in detail in a technical paper and even demonstrate a remote or local attacker might be able to exploit them. The findings will also be presented at this week’s Black Hat Security conference.
Armis reported the vulnerabilities to SwissLog on May 1 and has since worked with them to help develop a patch for systems at risk. The vulnerabilities were found in the firmware powering the Nexus Control Panel which manages all current models of the Translogic PTS station.
SwissLog themselves have acknowledged the issue and have stated that the vulnerabilities target the HMI-3 circuit board in Nexus panels having internet access. In an advisory published earlier this week Jennie McQuade, Chief Privacy Officer for Swisslog Healthcare has stated that the vulnerabilities can only be exploited under a combination of variables.
Hacking hospital pipes
In Armis’ research, the following major vulnerabilities were found.
- CVE-2021-37163: Gives access to two always-active hardcoded passwords for user and root accounts over Telnet.
- CVE-2021-37167: Privilege escalation vulnerability. Allows an attacker to run a custom script with root priveleges using hardcoded credentials.
- CVE-2021-37166: Potential cause for a DoS (Denial of Service) attack caused by the GUI process of the Nexus Control Panel binding with a local service on all interfaces.
- CVE-2021-37160: Allows unencrypted, unauthenticated firmware updates on the Nexus Control Panel allowing an attacker to gain full control over the system by installing malicious firmware. Possibly the most severe issue and the only one that remains unfixed so far.
Apart from these vulnerabilities, four memory corruption bugs were also found. in the control protocol of the TransLogic stations which could possibly lead to remote code execution or the very least, a DoS attack. The bugs have been assigned the following CVE codes.
As of right now, a patch labelled v220.127.116.11 has been released which fixes all vulnerabilities except the CVE-2021-37160, which will be fixed in a future firmware update.
For hospitals that cannot install the latest firmware available, Armis has provided the following solutions to prevent potential attacks.
- Block any use of the Telnet port (port 22).
- Deploy ACL or Access Control Lists allowing PTS components to only communicate with teh Translogic central server.
The company has also released two Snort IDS rules to detect exploitation attempts for various vulnerabilities.
For vulnerabilities CVE-2021-37161, CVE-2021-37162 and CVE-2021-37165:
alert udp any any -> any 12345 (msg:"PROTOCOL-OTHER Pwned piper exploitation attempt, Too small and malformed Translogic packet"; dsize:
alert udp any any -> any 12345 (msg:"PROTOCOL-OTHER Pwned piper exploitation attempt, Too large and malformed Translogic packet";dsize:>350; content:"TLPU"; depth:4; reference:cve,2021-37164; reference:url,https://www.armis.com/pwnedPiper; sid:9800001;)