Swisslog Healthcare has released an advisory detailing several vulnerabilities affecting their Translogic Pneumatic Tube System (PTS) Nexus control panel software. All but one of the vulnerabilities, dubbed “PwnedPiper,” have been patched, with mitigations available for the remaining one.
What is the nature of the vulnerabilities?
Used in an estimated 80% of hospitals in North America, the Swisslog Healthcare PTS is used to transport meds, lab samples, and supplies between multiple locations across a facility. It’s similar to the deposit tube at a drive-up bank teller, but more sophisticated with routing and automation.
IoT security firm Armis said it discovered nine vulnerabilities in Nexus Control Panel, the software used to control how containers are transported between hospital sections.
“These vulnerabilities can enable an unauthenticated attacker to take over Translogic PTS stations and essentially gain complete control over the PTS network of a target hospital,” the Armis team said.
The vulnerabilities outlined by Armis, dubbed “PwnedPiper,” are:
CVE-2021-37163 – Two hardcoded passwords accessible through the Telnet server.
Two vulnerabilities that are hardcoded passwords of user and root accounts, that can be accessed by login to the Telnet server on the Nexus Control Panel – that is enabled by default and cannot be turned off by native configuration of the system.
This vulnerability can be mitigated by not allowing Telnet to the device
CVE-2021-37167 – User script run by root can be used for PE.
A privilege escalation vulnerability due to a user script being run by root. By using the hardcoded credentials of the user account, through the Telnet server, the user can leverage this PE to gain root access.
CVE-2021-37161 – Underflow in udpRXThread
CVE-2021-37162 – Overflow in sccProcessMsg
CVE-2021-37165 – Overflow in hmiProcessMsg
CVE-2021-37164 – Off-by-three stack overflow in tcpTxThread
Four memory corruption bugs in the implementation of the TLP20 protocol as used in the Nexus Control Panel, that can lead to remote-code-execution and denial-of-service. The TLP20 protocol is the control protocol for all Translogic stations.
Patch provided by Swisslog.
CVE-2021-37166 – GUI socket Denial Of Service
A denial-of-service vulnerability that is a result of the GUI process on the Nexus Control Panel binding a local service on all interfaces, allowing external connections to hijack its connection. This can allow an attacker to mimic the GUI commands versus the low-level process that controls the Nexus Control Panel, effectively accessing all GUI commands through the network.
Patch provided by Swisslog.
CVE-2021-37160 – Unauthenticated, unencrypted, unsigned firmware upgrade
A design flaw in which firmware upgrades on the Nexus Control Panel are unencrypted, unauthenticated and do not require any cryptographic signature. This is the most severe vulnerability since it can allow an attacker to gain unauthenticated remote-code-execution by initiating a firmware update procedure while also maintaining persistence on the device.
Unpatched at this time – see workaround below.
What’s at risk?
Successful exploitation could result in leakage of sensitive information, enable an attacker to manipulate data, and possibly compromise the PTS network to carry out a man-in-the-middle (MitM) attacks and deploy ransomware.
- Nexus Control versions prior to 18.104.22.168
What can I do to protect against this vulnerability?
For all but one of the vulnerabilities, upgrading Nexus Software to version 22.214.171.124, released August 2, will patch the issues.
The most severe of the vulnerabilities, however, CVE-2021-37160, still requires a workaround to mitigate until Swisslog releases a proper patch:
From Swisslog’s bulletin:
Network firewalls that restrict inter-VLAN traffic on the network must allow inbound and outbound internal network connections for ports listed in “Windows firewalls.” Do not restrict these ports to specific applications.
Layer 3 Access Control List
If there is no firewall between the SCC and the floor devices, apply an extended ACL in the layer 3 VLAN that is dedicated to the PTS floor equipment. Both inbound and outbound access lists are required between the SCC server and floor equipment, allowing the use of the TCP and UDP ports listed.
Swisslog CVE disclosures