Anonymous tip-off helps improve healthcare security landscape

Several high-scoring vulnerabilities in software used to remotely manage defibrillator devices could lead to remote code execution or the loss of sensitive information, US authorities have warned

Several high-scoring vulnerabilities in software used to remotely manage defibrillator devices could lead to remote code execution or the loss of sensitive information, US authorities have warned.

Developed by Zoll, a US-based healthcare technology vendor, Defibrillator Dashboard allows medical professionals to monitor their ‘fleet’ of defibrillators.

Several vulnerabilities were discovered, including an unrestricted file upload flaw (with a near-maximum CVSS score of 9.9), a cross-site scripting (XSS) bug, insecure password storage, and a privilege escalation issue.

The flaws were anonymously reported to the US Cybersecurity and Infrastructure Agency (CISA), which then enabled the vendor to develop the necessary patches, an advisory explains.

“Successful exploitation of these vulnerabilities could allow remote code execution, allow an attacker to gain access to credentials, or impact confidentiality, integrity, and availability of the application,” CISA said.

Multiple vulnerabilities

The highest-scoring of the Defibrillator Dashboard flaws was an unrestricted file upload vulnerability (CVE-2021-27489). This could allow a non-admin user to upload a malicious file that enables them to remotely execute arbitrary commands.

The use of hard-coded cryptographic key (CVE-2021-27481) could allow an attacker to gain access to sensitive information, while the affected products also contain credentials stored in plaintext (CVE-2021-27487), also allowing access to sensitive information.

Read more of the latest healthcare security news

The XSS flaw (CVE-2021-27479) could allow a low privilege user to inject parameters to contain malicious scripts to be executed by higher privilege users.

Unpatched versions of the application allow users to store their passwords in a recoverable format (CVE-2021-27485), which could allow an attacker to retrieve the credentials from the web browser.

Finally, an improper privilege management flaw (CVE-2021-27483) contains insecure filesystem permissions that could allow a lower privilege user to escalate privileges to an administrative level user.

Update immediately

The vulnerabilities have been fixed in the latest version of Defibrillator Dash
board (version 2.2), and customers are recommended to update their software to version 2.2 if they haven’t already.

In a statement sent to The Daily Swig, Zoll said it is “important to note that these vulnerabilities pertain to the software-based monitoring solution for defibrillators, not the functionality of defibrillators themselves”.

Joseph Carson, chief security scientist at ThycoticCentrify, told The Daily Swig that vulnerabilities such as storing credentials in clear text are “unfortunately all too common”.

Carson added: “A CVSS v3 score of 9.9 is very high given it can be exploited remotely and has a low complexity rating. It should go without saying that anyone using this must upgrade as soon as possible.”

A Zoll spokesperson said: “Beyond the steps being taken to address this specific issue, Zoll is constantly enhancing its software development security program.

“Internal risk assessments and lessons learned from the security researcher community constantly yield improvements, and Zoll’s software development process uses widely integrated code-checking tools that are stronger than ever before.”

READ Anatomy of a healthcare data breach

Speaking more generally about how medical staff can protect themselves against vulnerabilities, Christian Espinosa, managing director at Cerberus Sentinel, told The Daily Swig: “Hospitals and clinics should put medical devices on separate VLANs that only allow traffic to/from the device to systems the device needs to communicate with.

“This minimizes the risk of the device being compromised and also minimizes the exposure to other hospital and clinic systems if the device is compromised.”

YOU MAY ALSO LIKE Thousands of VMWare vCenter Server instances still unpatched against critical flaws three weeks post-disclosure