Security expert at Armis have discovered 11 vulnerabilities in the Interpeak IPnet TCP/IP Stack, a third-party software component implemented in hospital networks and certain medical devices.
The flaws were reported to the DHS Cybersecurity and Infrastructure Security Agency (CISA) leadin to an ICS Medical Advisory and a Food and Drug Administration (FDA) Safety Communication warning patients, healthcare providers, facility staff and manufacturers about the weaknesses.
The FDA alert – labelled URGENT/11 – explains that the vulnerabilities could be remotely targeted by a threat actor allowing complete control to be taken of a vulnerable medical device. An attacker could change the functions of the device, access sensitive information, cause logical flaws or denial of service attack that could stop the device from being operational.
While there have been no reports of the flaws being successfully targeted in the wild, the FDA warns that the software required to exploit the flaws is publicly available.
Interpeak IPnet TCP/IP Stack allows network communications between computers, and while it is no longer supported by the original developer, some device producers are licensed to use the component in their software applications, systems, and equipment with no support.
The FDA warns that the vulnerable component is in use in some versions of the these operating systems:
- VxWorks (by Wind River)
- Operating System Embedded (OSE) (by ENEA)
- INTEGRITY (by Green Hills)
- ThreadX (by Microsoft)
- ITRON (by TRON Forum)
- ZebOS (by IP Infusion)
Specific Beckton Dickinson (BD), Drager, GE Healthcare, Philips Healthcare, and Spacelabs products are also impacted by the flaws. Each of those companies has published security advisories about the affected products.
WindRiver owns the license for IPnet and has released patches to address the flaws. If it is not possible to upgrade to the most recent version of the OSE, other mitigating controls can be implemented to lessen the chance of exploitation. WindRiver should be contacted for details of possible compensating control measures.
The flaws are listed in the ICS-CERT Medical Advisory (ICSMA-19-274-01). The FDA has published recommendations for device manufacturers, healthcare providers, healthcare facility staff, patients and caregivers, which can be seen on this link.
Healthcare suppliers have been advised to work with their device manufacturers to see which devices are vulnerable and find out about the steps that need to be taken to safeguard the devices. They have also been warned to inform patients using vulnerable devices to quickly report any suspected operational or functional changes to their medical devices.
Nine of the flaws are classified as high severity with a CVSS v3 score of between 7.0 and 10, three of which have a score of 9.8. In order of extent of severity, the CVE numbers are: CVE-2019-12256, CVE-2019-12255, CVE-2019-12260, CVE-2019-12257, CVE-2019-12261, CVE-2019-12263, CVE-2019-12258, CVE-2019-12259, CVE-2019-12262, CVE-2019-12264, and CVE-2019-12265.