Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:00 AM
Connect Directly

Multiple Zero-Day Flaws Discovered in Popular Hospital Pneumatic Tube System

"PwnedPiper" flaws could allow attackers to disrupt delivery of lab samples or steal hospital employee credentials, new research shows.

Tucked behind the interior walls of thousands of hospitals in the US are little-known networks of air-pressurized tube systems that transport medications, bloodwork, and test samples among hospital departments, lab, and the operating room. One of the most popular of these so-called pneumatic tube system (PTS) stations recently was found to be harboring several vulnerabilities that attackers could exploit to wage disruptive attacks on this critical hospital delivery system or to steal or leak sensitive personal information on hospital employees.

Researchers at Armis discovered the flaws in the control panel of Swisslog Healthcare's TransLogic PTS system, a transport system used in more than 3,000 hospitals worldwide. An attacker could exploit the flaws in the TransLogic Nexus Control Panel, which runs the PTS stations, without authenticating to the network, according to Ben Seri, vice president of research at Armis, who along with researcher Barak Hadad will detail their findings this week at Black Hat USA in Las Vegas.

An older model of Swisslog's TransLogic PTS, its IQ station model that was sunsetted in 2017, also contains some of the flaws. That system is no longer supported by the vendor, so Swisslog customers should upgrade to the newer product, according to Armis.

The researchers have dubbed the flaws they found in Swisslog's Nexus Control Panel "PwndPiper." The vulnerabilities include two hard-coded passwords of user and root accounts that are accessible via default and fixed telnet access on the control panel (CVE-2021-37163) and four memory corruption flaws in the system's native TLP20 control protocol implementation that could be used for remote code execution and denial-of-service attacks. These are buffer- and stack overflow-type flaws and have been reported as CVE-2021-37161, CVE-2021-37162, CVE-2021-37165, and CVE-2021-37164.

Nexus Control Panel also contains a privilege escalation flaw that could allow root access via telnet and hard-coded credentials to gain root access (CVE-2021-37167), and a denial-of-service (DoS) flaw (CVE-2021-37166) in the graphical user interface on the control panel that could allow an attacker to wage a DoS by impersonating GUI commands. The Nexus Control Panel also contains a design flaw that allows unsigned, as well as unauthenticated and unencrypted, firmware updates (CVE-2021-37160) to the system, the researchers found.

Seri says if an attacker hacks a Nexus station via any of these flaws, they could wrest control of all Nexus stations on the PTS network and wage a ransomware attack, for instance, or steal data from the stations, including employee RFID credentials as well as other intelligence about the PTS's physical configuration.

"The Nexus Control Panel powers the stations on-premises. Once you compromise a station, without [needing] credentials, you can harvest any employee credentials to access these systems," including their RFID cards that open doors at the hospital building, he says.

Meanwhile, Swisslog today issued a software update for the firmware, v7.2.5.7, which patches all but one of the vulnerabilities, CVE-2021-37160, the unsigned firmware issue. The vendor for now is providing mitigation steps for that vuln.

"In May, cyber security platform provider Armis approached us to share that it found some potential vulnerabilities to our TransLogic firmware that drives a specific panel in some pneumatic tube systems if a bad actor was first able to successfully gain access to a hospital's secure network, know and understand the pathway from there to the panel, and then leverage the vulnerabilities," a Swisslog spokesperson said in a statement provided to Dark Reading. "We immediately started collaborating on both short-term mitigation and long-term fixes."

Swisslog said in its advisory issued today that the firmware flaws affect the HMI-3 circuit board in the Nexus Panels when the systems are Ethernet-connected, and the affected systems are mostly used in hospitals in North America. An attacker would need access to the victim's IT network to exploit the vulnerabilities, according to Swisslog.

While Armis and Swisslog say they worked closely on the remediation and disclosure of the vulnerabilities, they still disagree on the total number of flaws. Armis says the eight CVEs account for nine flaws it discovered (it points to the two hard-coded passwords in CVE-2021-37163), but Swisslog says Armis counted nine after considering "one vulnerability could have more than one impact and is claiming it as two vulnerabilities," according to a Swisslog spokesperson.

Armis' Seri describes it this way: "So these two accounts that have hard-coded passwords were assigned a single CVE. Swisslog removed one of these accounts — the user — but the root account still remained in the firmware after the patch. For that reason, it is clear these are separate vulnerabilities since they will have two separate solutions."

Yet Another IoT/OT Security Risk
Swisslog's Nexus Station devices are based on an older version of the Linux kernel, v2.6, and managed by a Windows-based central server that sits atop the entire PTS network. Among the features of the network are secure transfers of delivery, using the employee's RFID and password, and email and SMS alerts upon delivery of a container.

"Ten years ago, these systems were mainly used for testing," Seri says. "But now they are more integrated with the hospital and relying more on them for medicine and blood units," so disruption of them would be serious.

The Swisslog system had in its production version a hard-coded password "left inadvertently" from a developer of the system, notes Seri, and it could be used via telnet to run code remotely on the system.

PTS systems are yet another once-isolated physical system ultimately found to be prone to cyberattacks after joining the IP-based network infrastructure. They've traditionally been "secure" because of their obscurity, he notes.

"I do think this should be a wakeup call for a hospital to go ahead and finish up the segmentation" on it network, Seri says. "Most have segmented it for their medical devices, but other systems that are not as directly connected to patients" still affect patient care and need to be segmented and secured, he says.

"The central server and all stations can talk to [those] devices and should not talk to any other device on the network," for instance, he says.

Armis today published the technical details of its findings.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-06-28
Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.
PUBLISHED: 2022-06-28
A vulnerability was found in Simplessus 3.7.7. It has been rated as critical. This issue affects some unknown processing. The manipulation of the argument path with the input ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd leads to path traversal. The att...
PUBLISHED: 2022-06-28
A vulnerability, which was classified as critical, has been found in Lithium Forum 2017 Q1. This issue affects some unknown processing of the component Compose Message Handler. The manipulation of the argument upload_url leads to server-side request forgery. The attack needs to be approached locally...
PUBLISHED: 2022-06-28
A vulnerability, which was classified as problematic, was found in ShadeYouVPN.com Client Affected is an unknown function. The manipulation leads to improper privilege management. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used...
PUBLISHED: 2022-06-28
A vulnerability was found in Simplessus 3.7.7. It has been declared as critical. This vulnerability affects unknown code of the component Cookie Handler. The manipulation of the argument UWA_SID leads to sql injection (Time). The attack can be initiated remotely. The exploit has been disclosed to th...