Medical Advisory : BD FACSLyric

1. EXECUTIVE SUMMARY

  • CVSS v3 6.8
  • ATTENTION: Low skill level to exploit
  • Vendor: Becton, Dickinson and Company (BD)
  • Equipment: FACSLyric
  • Vulnerability: Improper Access Control

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to administrative level privileges on a workstation, which could allow arbitrary execution of commands. This vulnerability does not impact BD FACSLyric flow cytometry systems using the Windows 7 Operating System.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of the FACSLyric flow cytometry solution are affected:

  • BD FACSLyric Research Use Only, Windows 10 Professional Operating System, U.S. and Malaysian Releases, between November 2017 and November 2018, and
  • BD FACSLyric IVD Windows 10 Professional Operating System U.S. release.

3.2 VULNERABILITY OVERVIEW

3.2.1    IMPROPER ACCESS CONTROL CWE-284

The application does not properly enforce user access control to privileged accounts, which may allow for unauthorized access to administrative level functions.

CVE-2019-6517 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

4. MITIGATIONS

BD will follow-up directly with all affected users to perform remediation activities. BD will disable the administrative account for users with BD FACSLyric RUO Cell Analyzer units having the Windows 10 Pro Operating System. BD has contacted and will replace the computer workstations for affected users with the BD FACSLyric IVD Cell Analyzer units with the Windows 10 Pro Operating System.

Medical Advisory : Stryker Medical Beds

1. EXECUTIVE SUMMARY

  • CVSS v3 6.8
  • ATTENTION: Public exploits are available
  • Vendor: Stryker
  • Equipment: Secure II MedSurg Bed, S3 MedSurg Bed, and InTouch ICU Bed
  • Vulnerability: Reusing a Nonce

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow data traffic manipulation, resulting in partial disclosure of encrypted communication or injection of data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Stryker medical products are affected:

  • Secure II MedSurg Bed (enabled with iBed Wireless), Model: 3002,
  • S3 MedSurg Bed (enabled with iBed Wireless), Models: 3002 S3, and 3005 S3, and
  • InTouch ICU Bed (enabled with Bed Wireless), Models 2131, and 2141.

3.2 VULNERABILITY OVERVIEW

3.2.1    REUSING A NONCE, KEY PAIR IN ENCRYPTION CWE-323

An industry-wide vulnerability exists in the WPA and WPA2 protocol affected by the Key Reinstallation Attacks known as KRACK. The four-way hand shake traffic in the Wi-Fi Protected Access WPA and WPA2 protocol can be manipulated to allow nonce reuse, resulting in key reinstallation. This could allow an attacker to execute a “man-in-the-middle” attack, enabling the attacker within radio range to replay, decrypt, or spoof frames.

The following CVEs have been assigned to this group of vulnerabilities:

CVE-2017-13077: Reinstallation of the pairwise key during the four-way handshake.

CVE-2017-13078: Reinstallation of the group key during the four-way handshake.

CVE-2017-13079: Reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake.

CVE-2017-13080: Reinstallation of the group key during the group key handshake.

CVE-2017-13081: Reinstallation of the IGTK during the group key handshake.

CVE-2017-13082: Reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the fast BSS transmission (FT) handshake.

CVE-2017-13086: Reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake.

CVE-2017-13087: Reinstallation of the Group Temporal Key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

CVE-2017-13088: Reinstallation of the IGTK when processing a WNM Sleep Mode Response frame.

A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

4. MITIGATIONS

Stryker has released software updates for affected products to mitigate the KRACK vulnerabilities.

  • Gateway 1.0 – no patch available
  • Gateway 2.0 – upgrade to software version 5212-400-905_3.5.002.01
  • Gateway 3.0 – patch incorporated in current software version 5212-500-905_4.3.001.01

SCS recommends users take additional defensive measures to minimize the risk of exploitation. Specifically, users should:

  • If determined unnecessary by the user, the iBed wireless functionality may be disabled.
  • SCS recommends these products operate on a separate VLAN, where possible, to ensure proper network security segmentation.
  • As an extra precaution, ensure the latest recommended updates (which includes the KRACK patch) for Wi-Fi access points, have been implemented in Wi-Fi enabled networks.

Siemens SCALANCE X Switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C (Update A)

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5
  • ATTENTION: Exploitable from the same local network segment (OSI Layer 2)
  • Vendor: Siemens
  • Equipment: SCALANCE X switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C
  • Vulnerability: Permissions, Privileges, and Access Controls

2. UPDATE INFORMATION

This updated advisory is a follow-up to the original advisory titled ICSA-18-165-01 Siemens SCALANCE X Switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C that was published June 14, 2018.

3. RISK EVALUATION

By sending a specially-crafted DHCP response to a client’s DHCP request, an unprivileged remote attacker could execute arbitrary code.

4. TECHNICAL DETAILS

4.1 AFFECTED PRODUCTS

Siemens reports the vulnerability affects the following products:

  • RFID 181-EIP: All versions,
——— Begin Update A Part 1 of 2 ——-
  • RUGGEDCOM WiMAX: v4.4, v4.5, v5.0, and v5.1,
——— End Update A Part 1 of 2 ———-
  • SCALANCE X-200: All versions prior to v5.2.3,
  • SCALANCE X-200 IRT: All versions prior to v5.4.1,
  • SCALANCE X-204RNA: All versions,
  • SCALANCE X-300: All versions,
  • SCALANCE X408: All versions,
  • SCALANCE X414: All versions, and
  • SIMATIC RF182C: All versions.

4.2 VULNERABILITY OVERVIEW

4.2.1    PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS CWE-264

Unprivileged remote attackers located in the same local network segment (OSI Layer 2) could gain remote code execution on the affected products by sending a specially-crafted DHCP response to a client’s DHCP request.

CVE-2018-4833 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

4.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, and Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

5. MITIGATIONS

Siemens has provided updates for the following products to fix the vulnerability:

——— Begin Update A Part 2 of 2 ——–
  • RUGGEDCOM WiMAX: Update to V5.2

https://support.industry.siemens.com/cs/ww/en/view/109762466

——— End Update A Part 2 of 2 ———-
  • SCALANCE X-200: Update to v5.2.3

https://support.industry.siemens.com/cs/cn/en/view/109758142

  • SCALANCE X-200 IRT: Update to v5.4.1

https://support.industry.siemens.com/cs/de/en/view/109758144

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

  • Use static IP addresses instead of DHCP
  • Apply cell protection concept: https://www.siemens.com/cert/operational-guidelines-industrial-security
  • Apply Defense-in-Depth: https://www.siemens.com/cert/operational-guidelines-industrial-security

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and following the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found at:

https://www.siemens.com/industrialsecurity

For more information on this vulnerability and associated software updates, please see Siemens security advisory SSA-181018 on their website:

https://www.siemens.com/cert/advisories

Omron CX-Supervisor (Update A)

1. EXECUTIVE SUMMARY

  • CVSS v3 7.0
  • Vendor: Omron
  • Equipment: CX-Supervisor
  • Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-Of-Bounds Read, Use-After-Free, Incorrect Type Conversion or Cast

2. UPDATE INFORMATION

This updated advisory is a follow-up to the original advisory titled ICSA-18-290-01 Omron CX-Supervisor that was published October 17, 2018, on the SCS website.

3. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute code under the context of the application, corrupt objects, and force the application to read a value outside of an array.

4. TECHNICAL DETAILS

4.1 AFFECTED PRODUCTS

The following versions of CX-Supervisor are affected:

  • CX-Supervisor Versions 3.4.1.0 and prior.

4.2 VULNERABILITY OVERVIEW

4.2.1    IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

When processing project files and tampering with a specific byte, memory corruption may occur within a specific object.

CVE-2018-17905 has been assigned to this vulnerability. A CVSS v3 base score of 4.5 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).

4.2.2   OUT-OF-BOUNDS READ CWE-125

When processing project files and tampering with the value of an offset, an attacker can force the application to read a value outside of an array.

CVE-2018-17907 has been assigned to this vulnerability. A CVSS v3 base score of 2.5 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

4.2.3    USE AFTER FREE CWE-416

When processing project files the application fails to check if it is referencing freed memory, which may allow an attacker to execute code in under the context of the application.

CVE-2018-17909 has been assigned to this vulnerability. A CVSS v3 base score of 4.5 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).

4.2.4    INCORRECT TYPE VERSION OR CAST CWE-704

A type confusion vulnerability exists when processing project files, which may allow an attacker to execute code in the context of the application.

CVE-2018-17913 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

4.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTOR: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan

5. MITIGATIONS

Omron has released Version 3.4.2 of CX-Supervisor to address the reported vulnerabilities. Users can download the latest version of CX-Supervisor at the following location:

https://www.myomron.com/index.php?action=kb&article=1709

SCS recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

IDenticard PremiSys

1. EXECUTIVE SUMMARY

  • CVSS v3 8.8
  • ATTENTION: Exploitable remotely/low skill level to exploit/vulnerability details have been publicly disclosed
  • Vendor: IDenticard
  • Equipment: PremiSys
  • Vulnerabilities: Use of Hard-coded Credentials, Use of Hard-coded Password, Inadequate Encryption Strength

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to view sensitive information via backups, obtain access to credentials, and/or obtain full access to the system with admin privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of IDenticard PremiSys, an access control system, are affected:

  • PremiSys all versions prior to 4.1

3.2 VULNERABILITY OVERVIEW

3.2.1    USE OF HARD-CODED CREDENTIALS CWE-798

The system contains hard-coded credentials that allow admin access to the entire service via the PremiSys WCF Service endpoint, which may allow complete control with admin privileges.

CVE-2019-3906 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.2    INADEQUATE ENCRYPTION STRENGTH CWE-326

The system stores user credentials and other sensitive information with a known weak encryption method, which may allow decryption and exposure of sensitive data.

CVE-2019-3907 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.3    USE OF HARD-CODED PASSWORD CWE-259

The system stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable, which may allow access to the information they contain.

CVE-2019-3908 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Government Facilities, Healthcare and Public Health, Water and Wastewater Systems.
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

4. MITIGATIONS

IDenticard has released updated software, Version 4.1, to address the hard-coded credential vulnerability (CVE-2019-3906). Inadequate encryption strength (CVE-2019-3907) and use of hard-coded password (CVE-2019-3908) are in process of being fixed with an update expected February 2019. These software updates will be provided free of charge. Additional information can be obtained by contacting the IDenticard Technical Support Team at (800) 220-8096.

IDenticard also recommends users change the Service Database default username and password.

SCS recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Restrict or monitor access to Port 9003/TCP.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.