Multiple flaws have been disclosed in the widely-used pneumatic tube system (PTS) that are vulnerable to attacks.
The cyber security researchers from security firm Armis disclosed a set of nine vulnerabilities that has been dubbed PwnedPiper which when exploited can perform multiple attacks against a widely-used pneumatic tube system (PTS).
The Swisslog PTS system are used in the hospitals to automate logistics and the transport of materials throughout the building via a network of pneumatic tubes.
The flaw affects the Translogic PTS system manufactured by Swisslog Healthcare, which is installed in about 80% of all major hospitals in North America and thousands of hospitals worldwide.
It is possible for a threat actor to exploit the PwnedPiper vulnerabilities to completely take over the Translogic Nexus Control Panel, which powers current models of Translogic PTS stations.
The attackers can conduct a broad range of malicious activities, such as carrying out a man-in-the-middle (MitM) attack to change or deploy ransomware.
According to a post published by Armis, these vulnerabilities can enable an unauthenticated attacker to take over Translogic PTS stations and essentially gain complete control over the PTS network of a target hospital. The attackers can perform sophisticated ransomware attacks and can leak sensitive hospital information.
The flaws include privilege escalation, memory corruption, remote-code execution, and denial-of-service issues. An attacker could also push an insecure firmware upgrade to fully compromise the devices.
The vulnerabilities discovered by the researchers include:
- CVE-2021-37161 – Underflow in udpRXThread
- CVE-2021-37162 – Overflow in sccProcessMsg
- CVE-2021-37163 – Two hardcoded passwords accessible through the Telnet server
- CVE-2021-37164 – Off-by-three stack overflow in tcpTxThread
- CVE-2021-37165 – Overflow in hmiProcessMsg
- CVE-2021-37166 – GUI socket Denial of Service
- CVE-2021-37167 – User script run by root can be used for PE
- CVE-2021-37160 – Unauthenticated, unencrypted, unsigned firmware upgrade
Most of the above mentioned vulnerabilities are addressed in the new Nexus Control Panel version 18.104.22.168. The CVE-2021-37160 has yet to be addressed.
Image Credits : Swisslog Healthcare