Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday June 18 2019, @03:19AM   Printer-friendly
from the infused-with-bugs dept.

Submitted via IRC for SoyCow4463

Researchers discovered two vulnerabilities in Alaris Gateway Workstations that are used to deliver fluid medication. One of them is critical and an attacker could leverage it to take full control of the medical devices connecting to it.

A flaw in the firmware code of the device has been assigned the highest severity score, a perfect 10, so it can be exploited remotely and without authentication. The other issue received is less severe and affects the workstation's web-based management interface.

[...] Researchers at CyberMDX discovered that AGW's firmware can be replaced remotely with a custom version. An attacker sitting on the same network as the target system would be able "update and manipulate a CAB file, which stores files in an archived library and utilizes a proper format for Windows CE," say the researchers.

With this type of access, the adversary would be able to alter the dosage of the drug dispensed by certain models of infusion pumps connected to an AWG, which are common in hospital wards and intensive care units.

Source: https://www.bleepingcomputer.com/news/security/critical-bug-in-infusion-system-allows-changing-drug-dose-in-medical-pumps/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by NotSanguine on Tuesday June 18 2019, @03:14PM (5 children)

    Came to post about how this could be really serious, potentially causing serious injury and/or death.

    Also to note that it has been assigned CVE-2019-10959 [nist.gov], with more details available via links there. Like these gems from here [us-cert.gov]:

    .2 VULNERABILITY OVERVIEW
    3.2.1 IMPROPER ACCESS CONTROL CWE-284
    The web browser user interface on the Alaris Gateway Workstation does not prevent an attacker with knowledge of the IP address of the Alaris Gateway Workstation terminal to gain access to the status and configuration information of the device.

    CVE-2019-10962 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

    3.2.2 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
    The application does not restrict the upload of malicious files during a firmware update.

    And so I came to add some info (submitters and eds, adding CVE numbers is usually *really* useful and I recommend doing so in TFS every time -- as usual, the CVE reference was in TFA, but why make us read TFA?), in case anyone was either curious or worked in the healthcare field and might have more than a passing interest.

    And then I come upon whinging from Ari (Hi, Ari!) and reasonable snark about it, instead of any discussion about the vulnerability or the potential for harm to patients. Meh, I guess it is what it is.

    Continuing with the *important* stuff, why don't you guys just make Aristarchus an editor and put him in *your shoes* for a while. What do you think Ari?

    It's probably not as much fun as submitting stuff and then complaining about how you're being suppressed, but you could actually pick stories for the front page -- they wouldn't be your submissions (that's bad form for an editor), but perhaps it would limit how much you shit all over the comments because you're being "discriminated" against.

    I, for one, would welcome that.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 3, Informative) by Gaaark on Tuesday June 18 2019, @03:51PM (1 child)

    by Gaaark (41) on Tuesday June 18 2019, @03:51PM (#857023) Journal

    You're right: don't understand how people can use Windows for ANYTHING other than gaming....put your LIFE under the control of Windows? Sheeeit NO!

    WindowsCE bloody price checker machines crash every day.... would you put your life in the hands of an alcoholic who needs ultra-fine motor control?

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    • (Score: 2) by NotSanguine on Tuesday June 18 2019, @03:59PM

      Your point is well taken, but the vulnerabilities appear to be application (no authentication on web access, no verification of code when updating firmware, etc.) aren't Windows specific at all.

      I'm perfectly happy to take Microsoft to task for the many, many, many, many (add a few more 'many's to make things approximate the level of fuck ups) instances of vulnerabilities, poor coding, poor testing, brain-dead policies, rapacious marketing/sales tactics, anti-competitive actions, spying on users, and on and on.

      However, this doesn't appear to be a Windows issue. It's an application and permissions/authorization issue.

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr
  • (Score: 1) by aristarchus on Tuesday June 18 2019, @09:21PM (2 children)

    by aristarchus (2645) on Tuesday June 18 2019, @09:21PM (#857181) Journal

    Looks like we need, unfortunately, an "on-topic" mod. Well said, NotSanguine!

    (As for "aristarchus for ed", the double spam mod is still in place, for saying "Wow" in four different stories that had no comments, more of a "frost piste" than spamming. I don't think they like me, and are looking for any excuse to censor me. Sorry, but you asked for it. #Freearistarchus.)

    • (Score: 2) by NotSanguine on Tuesday June 18 2019, @10:16PM (1 child)

      Just because you spammed a bunch of articles doesn't mean they don't like you.

      It means you spammed multiple articles and were called on it by the users. Any logged in user can mod you spam, and IIRC, at least a couple of the spam mods you received weren't from editors or admins. Just regular users who don't want to see that shit.

      Perhaps you'll consider this [xkcd.com] next time.

      Regardless of how many comments there may or may not be, spamming is still spamming. If you'd been more original, you'd have been just as likely to get modded funny or offtopic instead.

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr
      • (Score: 0, Troll) by aristarchus on Wednesday June 19 2019, @08:53AM

        by aristarchus (2645) on Wednesday June 19 2019, @08:53AM (#857359) Journal

        And, once more, you have allowed yourself to be drawn off-topic! And you started out so well!