The Department of Homeland Security's ICS-CERT has put forward a warning of four vulnerabilities in multiple medical molecular imaging systems from Siemens.
The Department of Homeland Security's ICS-CERT has put forward a warning of four vulnerabilities in multiple medical molecular imaging systems from Siemens. These systems have exploits available to the public which can easily attract cybercriminals or attackers and allow them to remotely execute the code. This can eventually lead to the safety compromise of the imaging systems. "An attacker with a low skill would be able to exploit these vulnerabilities," ICS-CERT(Industrial Control System Computer Emergency Response Team) warned.The systems affected are :- Siemens PET/CT Systems: All Windows 7-based versions
- Siemens SPECT/CT Systems: All Windows 7-based versions ·
- Siemens SPECT Systems: All Windows 7-based versions ·
- Siemens SPECT Workplaces / Symbia.net: All Windows 7-based versions
Siemens identified these vulnerabilities in a customer alert on July 26. Siemens warned that the vulnerabilities were highly critical. Using the Common Vulnerability Scoring System, this was given a score of 9.8/10. Vulnerability classification according to CVSS score :- Vulnerability 1 (CVE-2015-1635)
An unauthenticated remote attacker could execute arbitrary code by sending specially crafted HTTP requests to the Microsoft web server (port 80/tcp and port 443/tcp) of affected devices. CVSS Base Score 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:T/RC:C - Vulnerability 2 (CVE-2015-1497)
An unauthenticated remote attacker could execute arbitrary code by sending a specially crafted request to the HP Client automation service on port 3465/tcp of affected devices. CVSS Base Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:T/RC:C- Vulnerability 3 (CVE-2015-7860)
An unauthenticated remote attacker could execute arbitrary code by sending a specially crafted request to the HP Client automation service of affected devices. CVSS Base Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:T/RC:C- Vulnerability 4 (CVE-2015-7861)
An unauthenticated remote attacker could execute arbitrary code by sending a specially crafted request to the HP Client automation service of affected devices. CVSS Base Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:T/RC:C (from Siemens Security Advisory by Siemens ProductCERT)One of the vulnerabilities is in the built-in Window Web server running on the systems, and other three are in the HP Client Automation Service, which is used to remotely manage the software deployed to systems. "An unauthenticated, remote attacker could execute arbitrary code by sending specially crafted HTTP requests to the Microsoft Web server (port 80/tcp and port 443/tcp) of affected devices," Siemens warned. The bug in the Web server software allows code injection onto the devices in the first case.In the other three cases, they allow the remote injection of code using a crafted network request and then the execution of that code. It is done by exploiting a memory buffer bug. To bypass the access controls, another remote attack could also be used. It will also help in increasing the advantages for the attacker.Siemens has instructed customers to break the connection from all public networks and run their systems on isolated network segments or run in standalone mode until the updated patch is delivered by the company. DHS's ICS-CERT instructions to be followed are:Minimize network exposure for all medical devices and systems, and ensure that they are not accessible from the Internet.Locate all medical devices and remote devices behind firewalls, and isolate them from the business network.When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognizing that VPN is only as secure as the connected devices.The basic cyber security provisions are yet a missing factor in many of the hospitals and clinics, probably due lack of knowledge or awareness on the seriousness of the issue. According to the recent report to Congress by the Department of Health and Human Services' Health Care Industry Cybersecurity Task Force, "The majority of health delivery organizations lack full-time, qualified security personnel."Hospitals are vulnerable to cyber attack as the majority of the medical systems use the same network as the administrative network. Therefore, a single click on a phishing Email attachment can initiate a ransomware attack throughout the network. This can also occur due to old versions of software or unpatched software. Once the breach comes into action, it is powerful enough to shut down the hospitals, similar to WannaCry ransomware a couple of months ago. SOLUTION (from Siemens Security Advisory by Siemens ProductCERT)- Siemens Healthineers is preparing updates for the affected products and
- Recommends protecting network access to the Molecular Imaging products with appropriate mechanisms.
- It is advised to run the devices in a dedicated network segment and protected IT environment.
If the above cannot be implemented we recommend the following: - If patient safety and treatment is not at risk, disconnect the product from the network and use in standalone mode.
- Reconnect the product only after the provided patch or remediation is installed on the system. Siemens Healthineers is able to patch systems capable of Remote Update Handling (RUH) much faster by remote software distribution compared to onsite visits. Therefore customers of RUH capable equipment are recommended to clarify the situation concerning patch availability and remaining risk in the local customer network with the Siemens Customer Care Center first and then to re-connect their systems in order to receive patches as fast as possible via Remote Update Handling. This ensures smooth and fast receipt of updates and therefore supports re-establishment of system operations.
In addition, Siemens Healthineers recommends:- Ensure you have appropriate backups and system restoration procedures.
- For specific patch and remediation guidance information contact your local Siemens Healthineers Customer Service Engineer, portal or our Regional Support Center.
