Cybersecurity researchers on Monday disclosed a set of nine vulnerabilities known as "PwnedPiper" that left a widely-used pneumatic tube system (PTS) vulnerable to critical attacks, including a possibility of complete takeover.
The security weaknesses, disclosed by American cybersecurity firm Armis, impact the Translogic PTS system by Swisslog Healthcare, which is installed in about 80% of all major hospitals in North America and in no fewer than 3,000 hospitals worldwide.
"These vulnerabilities can enable an unauthenticated attacker to take over Translogic PTS stations and essentially gain complete control over the PTS network of a target hospital," Armis researchers Ben Seri and Barak Hadad said. "This type of control could enable sophisticated and worrisome ransomware attacks, as well as allow attackers to leak sensitive hospital information."
Pneumatic tube systems are internal logistics and transport solutions that are used to securely transport blood, tissue, and lab samples in hospital settings to diagnostic laboratories.
Successful exploitation of the issues, therefore, could result in leakage of sensitive information, enable an adversary to manipulate data, and even compromise the PTS network to carry out a man-in-the-middle (MitM) attack and deploy ransomware, thereby effectively halting the operations of the hospital.
The details about the nine PwndPiper vulnerabilities are listed as follows -
- CVE-2021-37161 – Underflow in udpRXThread
- CVE-2021-37162 – Overflow in sccProcessMsg
- CVE-2021-37163 – Two hardcoded passwords accessible through the Telnet server
- CVE-2021-37164 – Off-by-three stack overflow in tcpTxThread
- CVE-2021-37165 – Overflow in hmiProcessMsg
- CVE-2021-37166 – GUI socket Denial Of Service
- CVE-2021-37167 – User script run by root can be used for PE
- CVE-2021-37160 – Unauthenticated, unencrypted, unsigned firmware upgrade
In a nutshell, the flaws — which concern privilege escalation, memory corruption, and denial-of-service — could be abused to gain root access, achieve remote-code-execution, or render systems unavailable, and worse, permit an attacker to maintain persistence on compromised PTS stations via an insecure firmware upgrade procedure, leading to unauthenticated remote-code-execution. It's also worth noting that a patch for CVE-2021-37160 is expected to be shipped at a future date.
"The potential for pneumatic tube stations (where the firmware is deployed) to be compromised is dependent on a bad actor who has access to the facility's information technology network and who could cause additional damage by leveraging these exploits," Swisslog Healthcare said in an independent advisory published today.
Translogic PTS system customers are highly recommended to update to the latest firmware (Nexus Control Panel version 220.127.116.11) to mitigate any potential risk that may arise out of real-world exploitation of the shortcomings.
"This research sheds light on systems that are hidden in plain sight but are nevertheless a crucial building block to modern-day healthcare," Seri and Hadad said. "Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments."