Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

End of Bibblio RCM includes -->
09:00 AM
Connect Directly

Multiple Zero-Day Flaws Discovered in Popular Hospital Pneumatic Tube System

"PwnedPiper" flaws could allow attackers to disrupt delivery of lab samples or steal hospital employee credentials, new research shows.

Tucked behind the interior walls of thousands of hospitals in the US are little-known networks of air-pressurized tube systems that transport medications, bloodwork, and test samples among hospital departments, lab, and the operating room. One of the most popular of these so-called pneumatic tube system (PTS) stations recently was found to be harboring several vulnerabilities that attackers could exploit to wage disruptive attacks on this critical hospital delivery system or to steal or leak sensitive personal information on hospital employees.

Researchers at Armis discovered the flaws in the control panel of Swisslog Healthcare's TransLogic PTS system, a transport system used in more than 3,000 hospitals worldwide. An attacker could exploit the flaws in the TransLogic Nexus Control Panel, which runs the PTS stations, without authenticating to the network, according to Ben Seri, vice president of research at Armis, who along with researcher Barak Hadad will detail their findings this week at Black Hat USA in Las Vegas.

An older model of Swisslog's TransLogic PTS, its IQ station model that was sunsetted in 2017, also contains some of the flaws. That system is no longer supported by the vendor, so Swisslog customers should upgrade to the newer product, according to Armis.

The researchers have dubbed the flaws they found in Swisslog's Nexus Control Panel "PwndPiper." The vulnerabilities include two hard-coded passwords of user and root accounts that are accessible via default and fixed telnet access on the control panel (CVE-2021-37163) and four memory corruption flaws in the system's native TLP20 control protocol implementation that could be used for remote code execution and denial-of-service attacks. These are buffer- and stack overflow-type flaws and have been reported as CVE-2021-37161, CVE-2021-37162, CVE-2021-37165, and CVE-2021-37164.

Nexus Control Panel also contains a privilege escalation flaw that could allow root access via telnet and hard-coded credentials to gain root access (CVE-2021-37167), and a denial-of-service (DoS) flaw (CVE-2021-37166) in the graphical user interface on the control panel that could allow an attacker to wage a DoS by impersonating GUI commands. The Nexus Control Panel also contains a design flaw that allows unsigned, as well as unauthenticated and unencrypted, firmware updates (CVE-2021-37160) to the system, the researchers found.

Seri says if an attacker hacks a Nexus station via any of these flaws, they could wrest control of all Nexus stations on the PTS network and wage a ransomware attack, for instance, or steal data from the stations, including employee RFID credentials as well as other intelligence about the PTS's physical configuration.

"The Nexus Control Panel powers the stations on-premises. Once you compromise a station, without [needing] credentials, you can harvest any employee credentials to access these systems," including their RFID cards that open doors at the hospital building, he says.

Meanwhile, Swisslog today issued a software update for the firmware, v7.2.5.7, which patches all but one of the vulnerabilities, CVE-2021-37160, the unsigned firmware issue. The vendor for now is providing mitigation steps for that vuln.

"In May, cyber security platform provider Armis approached us to share that it found some potential vulnerabilities to our TransLogic firmware that drives a specific panel in some pneumatic tube systems if a bad actor was first able to successfully gain access to a hospital's secure network, know and understand the pathway from there to the panel, and then leverage the vulnerabilities," a Swisslog spokesperson said in a statement provided to Dark Reading. "We immediately started collaborating on both short-term mitigation and long-term fixes."

Swisslog said in its advisory issued today that the firmware flaws affect the HMI-3 circuit board in the Nexus Panels when the systems are Ethernet-connected, and the affected systems are mostly used in hospitals in North America. An attacker would need access to the victim's IT network to exploit the vulnerabilities, according to Swisslog.

While Armis and Swisslog say they worked closely on the remediation and disclosure of the vulnerabilities, they still disagree on the total number of flaws. Armis says the eight CVEs account for nine flaws it discovered (it points to the two hard-coded passwords in CVE-2021-37163), but Swisslog says Armis counted nine after considering "one vulnerability could have more than one impact and is claiming it as two vulnerabilities," according to a Swisslog spokesperson.

Armis' Seri describes it this way: "So these two accounts that have hard-coded passwords were assigned a single CVE. Swisslog removed one of these accounts — the user — but the root account still remained in the firmware after the patch. For that reason, it is clear these are separate vulnerabilities since they will have two separate solutions."

Yet Another IoT/OT Security Risk
Swisslog's Nexus Station devices are based on an older version of the Linux kernel, v2.6, and managed by a Windows-based central server that sits atop the entire PTS network. Among the features of the network are secure transfers of delivery, using the employee's RFID and password, and email and SMS alerts upon delivery of a container.

"Ten years ago, these systems were mainly used for testing," Seri says. "But now they are more integrated with the hospital and relying more on them for medicine and blood units," so disruption of them would be serious.

The Swisslog system had in its production version a hard-coded password "left inadvertently" from a developer of the system, notes Seri, and it could be used via telnet to run code remotely on the system.

PTS systems are yet another once-isolated physical system ultimately found to be prone to cyberattacks after joining the IP-based network infrastructure. They've traditionally been "secure" because of their obscurity, he notes.

"I do think this should be a wakeup call for a hospital to go ahead and finish up the segmentation" on it network, Seri says. "Most have segmented it for their medical devices, but other systems that are not as directly connected to patients" still affect patient care and need to be segmented and secured, he says.

"The central server and all stations can talk to [those] devices and should not talk to any other device on the network," for instance, he says.

Armis today published the technical details of its findings.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file