PwnedPiper flaws in PTS systems affect major US hospitals

Researchers from cybersecurity firm Armis revealed a set of nine vulnerabilities labeled as PwnedPiper that could be used to launch a variety of attacks against a commonly used pneumatic tube system (PTS).

 

The Swisslog PTS system is used in hospitals to automate logistics and material delivery across the building using a network of pneumatic tubes.

 

The issue affects Swisslog Healthcare’s Translogic PTS system, which is used in about 80% of all large hospitals in North America and thousands of hospitals globally.

 

An attacker could use the PwnedPiper flaws to gain complete control of the Translogic Nexus Control Panel, which runs current Translogic PTS station models.

 

Attackers might use the holes to carry out a series of harmful operations, including changing or deploying ransomware through a man-in-the-middle (MitM) attack.

 

“These vulnerabilities can enable an unauthenticated attacker to take over Translogic PTS stations and essentially gain complete control over the PTS network of a target hospital,” reads the post published by Armis. “This type of control could enable sophisticated and worrisome ransomware attacks, as well as allow attackers to leak sensitive hospital information.”

 

Privilege escalation, memory corruption, remote code execution, and denial-of-service issues are among the vulnerabilities discovered.

 

To totally compromise the devices, an attacker may also push an insecure firmware update.

 

 

PTS-systems

 

 

The following are the nine flaws uncovered by the researchers:

  • CVE-2021-37161 – Underflow in udpRXThread
  • CVE-2021-37162 – Overflow in sccProcessMsg
  • CVE-2021-37163 – Two hardcoded passwords accessible through the Telnet server
  • CVE-2021-37164 – Off-by-three stack overflow in tcpTxThread
  • CVE-2021-37165 – Overflow in hmiProcessMsg
  • CVE-2021-37166 – GUI socket Denial of Service
  • CVE-2021-37167 – User script run by root can be used for PE
  • CVE-2021-37160 – Unauthenticated, unencrypted, unsigned firmware upgrade

 

The majority of the identified vulnerabilities have been addressed in Swisslog’s Nexus Control Panel version 7.2.5.7. The CVE-2021-37160 vulnerability has yet to be fixed.

 

“This research sheds light on systems that are hidden in plain sight but are nevertheless a crucial building block to modern-day healthcare. Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments.” concludes the report.

 

Swisslog has also issued previous research identified in response to these flaws.

 

You might also like:

 

Meteor wiper malware was used against Iran’s national railway system

Haron and BlackMatter ransomware groups appeared on hacker forum

Oscorp is now UBEL – Info stealing Android malware