Major Impacts on Hosptial in North America due to PwnedPiper Critical Bug

Major Impacts on Hosptial in North America due to PwnedPiper Critical Bug

Pneumatic tube system (PTS) stations constantly used in thousands of hospitals across the world are vulnerable to a combination of nine critical security issues collectively referred to as PwnedPiper.

PTS solutions are part of a hospital’s critical infrastructure as they are used to quickly deliver items like blood, tissue, lab samples, or medication assistance to where they are needed.

The bugs are in some of SwissLog’s TransLogic Pneumatic Tube System, an automated material transport solution for transferring medical items across the longer area in the medium to large hospitals.

According to the maker, TransLogic PTS is present in more than 2,300 hospitals in North America and more than 3,000 units worldwide profits from 24/7 customer support.

How the Critical Flaws left Unpatched?

Research from various connected device security associations discovered that an inaccurate threat actor could gain full control over some TransLogic PTS stations connected to the internet and then take over the whole PTS network of a target hospital.

Respectively, the company detected nine sensitive vulnerabilities in the firmware powering the Nexus Control Panel for handling “all current models of Translogic PTS stations.”   

While not all the bugs could be exploited by a remote attacker, their harshness level remains high provided a PTS’ role in a hospital.

Swisslog gets to know about the security concerns and states that they harm the HMI-3 circuit board in Nexus Panels connected to the internet. The company notes in an advisory this weekend that the affected PTS products “are setup primarily in hospitals within North America.” Jennie McQuade, Chief Privacy Officer for Swisslog Healthcare, states that the security concerns are not present unless a mix of the variable exists.

Swisslog states “The potential for pneumatic tube stations (where the firmware is set up) to be negotiated is dependent on a threat actors who has access to the facility’s information technology network and who could cause additional damage by leveraging these exploits.”

When researching the code powering the TransLogic PTS, Armis found the below-mentioned vulnerabilities:

  • CVE-2021-37163: Two cases of always-active hardcoded credentials (user and root accounts), accessible over Telnet
  • CVE-2021-37167: Privilege escalation; using the hardcoded passwords, a threat actor could run a user script with root privileges
  • CVE-2021-37166: Denial-of-service (DoS) caused by the GUI process of Nexus Control Panel binding a local service on the entire interface.

Four memory corruption flaws in the control protocol (TLP20) of TransLogic stations that could lead to remote code execution or at least a denial-of-service (DoS) conditions:

  • CVE-2021-37161: Underflow in udpRXThread
  • CVE-2021-37162: Overflow in sccProcessMsg
  • CVE-2021-37165: Overflow in hmiProcessMsg
  • CVE-2021-37164: Off-by-three stack overflow in tcpTxThretad 

And the most serious from all of them:

  • CVE-2021-37160: Unencrypted, authenticated firmware updates on the Nexus Control Panel. A threat actor could appropriate it to install malicious firmware on the system, importantly taking full control over it.

All of these vulnerabilities are collectively dubbed ‘PwnedPiper’ by the investigators.

Major-Impacts-on-Hosptial-in-North-America-due-to-PwnedPiper-Critical-Bug-image1

They also reported the vulnerabilities on May 1 and worked with Swisslog to develop and test a possible patch (v7.2.5.7), as well as to discover mitigation steps for hospitable unable to apply the fix right away.

How to Protect Again PwnedPiper Vulnerabilities?

For a hospital that is unable to install the recent firmware update for TransLogic PTS. We provide the following steps to defend against all the probable PwnedPiper attacks:

  • Block all the use of Telnet (port 23) on the Translogic PTS stations (the Telnet service is not needed in production)
  • Set up access control lists (ACLs), in which Translogic PTS elements (stations, diverters, etc,) are only permitted to transmit with the Translogic central server (SCC). 
  • Use the given Snort IDS rule to detect exploitation trials of CVE-2021-37161, CVE-2021-37162, and CVE-2021-37165:

Alert udp any any -> any 12345 (msg: “PROTOCOL –OTHER Pwneed piper exploitation attempt,

Too small and malformed Translogic packet”; dsize:

  • Use the below mentioned Snort IDS rule to detect exploitation attempts of CVE-2021-37164:

Alert udp any any -> any 12345 (msg: PrROTOCOL –OTHER Pwend piper exploitation attempt, 

Too large and malformed TransLogic Packet”; dsize:>350; 

Content: “TLPU”;

depth :4; reference : cve, 2021-37164;)

Leave a Reply