Submitted via IRC for SoyCow1337
US-CERT Warns of Remotely Exploitable Bugs in Medical Devices
Vulnerabilities in key surgical equipment could be remotely exploited by a low-skill attacker.
US-CERT has issued an advisory for vulnerabilities in Medtronic's Valleylab FT10 and Valleylab FX8 Energy Platforms, both key surgical equipment that could be remotely exploited by a low-skill attacker. Vulnerabilities also affect Valleylab Exchange Client, officials report.
The advisory details three vulnerabilities. One is the use of hard-coded credentials (CVE-2019-13543). Affected devices use multiple sets of hard-coded credentials; if discovered, they could be used to read files on the equipment. The flaw has been assigned a CVSS base score of 5.8.
These products also use a reversible one-way hash for OS password hashing. While interactive, network-based logons are disabled. An attacker could use other vulnerabilities disclosed to gain local shell access and obtain these hashes. This flaw (CVE-2019-13539) has a CVSS score of 7.0.
Improper input validation (CVE-2019-3464 and CVE-2019-3463) marks the third type of vulnerability. The affected devices use a vulnerable version of the rssh utility to enable file uploads, which could give an attacker administrative access to files or the ability to execute arbitrary code. This vulnerability has been given a CVSS score of 9.8.
Related Stories
Hacking Ventilators With DIY Dongles From Poland:
As COVID-19 surges, hospitals and independent biomedical technicians have turned to a global grey-market for hardware and software to circumvent manufacturer repair locks and keep life-saving ventilators running.
The dongle is handmade, little more than a circuit board encased in plastic with two connectors. One side goes to a ventilator’s patient monitor, another goes to the breath delivery unit. A third cable connects to a computer.
This little dongle—shipped to him by a hacker in Poland—has helped William repair at least 70 broken Puritan Bennett 840 ventilators that he’s bought on eBay and from other secondhand websites. He has sold these refurbished ventilators to hospitals and governments throughout the United States, to help them handle an influx of COVID-19 patients. Motherboard agreed to speak to William anonymously because he was not authorized by his company to talk to the media, but Motherboard verified the specifics of his story with photos and other biomedical technicians.
William is essentially Frankensteining together two broken machines to make one functioning machine. Some of the most common repairs he does on the PB840, made by a company called Medtronic, is replacing broken monitors with new ones. The issue is that, like so many other electronics, medical equipment, including ventilators, increasingly has software that prevents “unauthorized” people from repairing or refurbishing broken devices, and Medtronic will not help him fix them.
[...] Delays in getting equipment running put patients at risk. In the meantime, biomedical technicians will continue to try to make-do with what they can. “If someone has a ventilator and the technology to [update the software], more power to them,” Mackeil said. “Some might say you’re violating copyright, but if you own the machine, who’s to say they couldn’t or they shouldn’t?”
I understand that there is an ongoing debate on the "right to repair". However, many manufacturers increasingly find ways to ensure that "unauthorised" people cannot repair their devices. Where do you stand on this issue? During the ongoing pandemic, do medical device manufacturers have the right to prevent repair by third parties?
(Score: 3, Informative) by JoeMerchant on Tuesday November 19 2019, @03:08AM
https://nakedsecurity.sophos.com/2019/11/13/us-cert-warns-of-critical-flaws-in-medtronic-equipment/ [sophos.com]
🌻🌻🌻 [google.com]