Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

End of Bibblio RCM includes -->
09:00 AM
Connect Directly

Multiple Zero-Day Flaws Discovered in Popular Hospital Pneumatic Tube System

"PwnedPiper" flaws could allow attackers to disrupt delivery of lab samples or steal hospital employee credentials, new research shows.

Tucked behind the interior walls of thousands of hospitals in the US are little-known networks of air-pressurized tube systems that transport medications, bloodwork, and test samples among hospital departments, lab, and the operating room. One of the most popular of these so-called pneumatic tube system (PTS) stations recently was found to be harboring several vulnerabilities that attackers could exploit to wage disruptive attacks on this critical hospital delivery system or to steal or leak sensitive personal information on hospital employees.

Researchers at Armis discovered the flaws in the control panel of Swisslog Healthcare's TransLogic PTS system, a transport system used in more than 3,000 hospitals worldwide. An attacker could exploit the flaws in the TransLogic Nexus Control Panel, which runs the PTS stations, without authenticating to the network, according to Ben Seri, vice president of research at Armis, who along with researcher Barak Hadad will detail their findings this week at Black Hat USA in Las Vegas.

An older model of Swisslog's TransLogic PTS, its IQ station model that was sunsetted in 2017, also contains some of the flaws. That system is no longer supported by the vendor, so Swisslog customers should upgrade to the newer product, according to Armis.

The researchers have dubbed the flaws they found in Swisslog's Nexus Control Panel "PwndPiper." The vulnerabilities include two hard-coded passwords of user and root accounts that are accessible via default and fixed telnet access on the control panel (CVE-2021-37163) and four memory corruption flaws in the system's native TLP20 control protocol implementation that could be used for remote code execution and denial-of-service attacks. These are buffer- and stack overflow-type flaws and have been reported as CVE-2021-37161, CVE-2021-37162, CVE-2021-37165, and CVE-2021-37164.

Nexus Control Panel also contains a privilege escalation flaw that could allow root access via telnet and hard-coded credentials to gain root access (CVE-2021-37167), and a denial-of-service (DoS) flaw (CVE-2021-37166) in the graphical user interface on the control panel that could allow an attacker to wage a DoS by impersonating GUI commands. The Nexus Control Panel also contains a design flaw that allows unsigned, as well as unauthenticated and unencrypted, firmware updates (CVE-2021-37160) to the system, the researchers found.

Seri says if an attacker hacks a Nexus station via any of these flaws, they could wrest control of all Nexus stations on the PTS network and wage a ransomware attack, for instance, or steal data from the stations, including employee RFID credentials as well as other intelligence about the PTS's physical configuration.

"The Nexus Control Panel powers the stations on-premises. Once you compromise a station, without [needing] credentials, you can harvest any employee credentials to access these systems," including their RFID cards that open doors at the hospital building, he says.

Meanwhile, Swisslog today issued a software update for the firmware, v7.2.5.7, which patches all but one of the vulnerabilities, CVE-2021-37160, the unsigned firmware issue. The vendor for now is providing mitigation steps for that vuln.

"In May, cyber security platform provider Armis approached us to share that it found some potential vulnerabilities to our TransLogic firmware that drives a specific panel in some pneumatic tube systems if a bad actor was first able to successfully gain access to a hospital's secure network, know and understand the pathway from there to the panel, and then leverage the vulnerabilities," a Swisslog spokesperson said in a statement provided to Dark Reading. "We immediately started collaborating on both short-term mitigation and long-term fixes."

Swisslog said in its advisory issued today that the firmware flaws affect the HMI-3 circuit board in the Nexus Panels when the systems are Ethernet-connected, and the affected systems are mostly used in hospitals in North America. An attacker would need access to the victim's IT network to exploit the vulnerabilities, according to Swisslog.

While Armis and Swisslog say they worked closely on the remediation and disclosure of the vulnerabilities, they still disagree on the total number of flaws. Armis says the eight CVEs account for nine flaws it discovered (it points to the two hard-coded passwords in CVE-2021-37163), but Swisslog says Armis counted nine after considering "one vulnerability could have more than one impact and is claiming it as two vulnerabilities," according to a Swisslog spokesperson.

Armis' Seri describes it this way: "So these two accounts that have hard-coded passwords were assigned a single CVE. Swisslog removed one of these accounts — the user — but the root account still remained in the firmware after the patch. For that reason, it is clear these are separate vulnerabilities since they will have two separate solutions."

Yet Another IoT/OT Security Risk
Swisslog's Nexus Station devices are based on an older version of the Linux kernel, v2.6, and managed by a Windows-based central server that sits atop the entire PTS network. Among the features of the network are secure transfers of delivery, using the employee's RFID and password, and email and SMS alerts upon delivery of a container.

"Ten years ago, these systems were mainly used for testing," Seri says. "But now they are more integrated with the hospital and relying more on them for medicine and blood units," so disruption of them would be serious.

The Swisslog system had in its production version a hard-coded password "left inadvertently" from a developer of the system, notes Seri, and it could be used via telnet to run code remotely on the system.

PTS systems are yet another once-isolated physical system ultimately found to be prone to cyberattacks after joining the IP-based network infrastructure. They've traditionally been "secure" because of their obscurity, he notes.

"I do think this should be a wakeup call for a hospital to go ahead and finish up the segmentation" on it network, Seri says. "Most have segmented it for their medical devices, but other systems that are not as directly connected to patients" still affect patient care and need to be segmented and secured, he says.

"The central server and all stations can talk to [those] devices and should not talk to any other device on the network," for instance, he says.

Armis today published the technical details of its findings.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-08-12
An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. The value of the X-Forwarded-Host header overwrites the value of the Host header in proxied requests. The value of X-Forwarded-Host header is not checked against the whitelist of ho...
PUBLISHED: 2022-08-12
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execu...
PUBLISHED: 2022-08-12
An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to b...
PUBLISHED: 2022-08-12
In Zimbra Collaboration Suite (ZCS) 8.8.15, the URL at /h/search?action accepts parameters called extra, title, and onload that are partially sanitised and lead to reflected XSS that allows executing arbitrary JavaScript on the victim's machine.
PUBLISHED: 2022-08-12
Neo4j APOC (Awesome Procedures on Cypher) before and 4.x before allows Directory Traversal to sibling directories via apoc.log.stream.