Multiple zero-day flaws discovered in popular hospital pneumatic-tube system

Tucked behind the interior walls of thousands of hospitals in the US are little-known networks of air-pressurized tube systems that transport medications, bloodwork, and test samples among hospital departments, lab, and the operating room. One of the most popular of these so-called pneumatic tube system (PTS) stations recently was found to be harboring several vulnerabilities that attackers could exploit to wage disruptive attacks on this critical hospital delivery system or to steal or leak sensitive personal information on hospital employees.

Researchers at Armis discovered the flaws in the control panel of Swisslog Healthcare’s TransLogic PTS system, a transport system used in more than 3,000 hospitals worldwide. An attacker could exploit the flaws in the TransLogic Nexus Control Panel, which runs the PTS stations, without authenticating to the network, according to Ben Seri, vice president of research at Armis, who along with researcher Barak Hadad will detail their findings this week at Black Hat USA in Las Vegas.

An older model of Swisslog’s TransLogic PTS, its IQ station model that was sunsetted in 2017, also contains some of the flaws. That system is no longer supported by the vendor, so Swisslog customers should upgrade to the newer product, according to Armis.

The researchers have dubbed the flaws they found in Swisslog’s Nexus Control Panel “PwndPiper.” The vulnerabilities include two hard-coded passwords of user and root accounts that are accessible via default and fixed telnet access on the control panel (CVE-2021-37163) and four memory corruption flaws in the system’s native TLP20 control protocol implementation that could be used for remote code execution and denial-of-service attacks. These are buffer- and stack overflow-type flaws and have been reported as CVE-2021-37161, CVE-2021-37162, CVE-2021-37165, and CVE-2021-37164.

Nexus Control Panel also contains a privilege escalation flaw that could allow root access via telnet and hard-coded credentials to gain root access (CVE-2021-37167), and a denial-of-service (DoS) flaw (CVE-2021-37166) in the graphical user interface on the control panel that could allow an attacker to wage a DoS by impersonating GUI commands. The Nexus Control Panel also contains a design flaw that allows unsigned, as well as unauthenticated and unencrypted, firmware updates (CVE-2021-37160) to the system, the researchers found.

Seri says if an attacker hacks a Nexus station via any of these flaws, they could wrest control of all Nexus stations on the PTS network and wage a ransomware attack, for instance, or steal data from the stations, including employee RFID credentials as well as other intelligence about the PTS’s physical configuration.

“The Nexus Control Panel powers the stations on-premises. Once you compromise a station, without [needing] credentials, you can harvest any employee credentials to access these systems,” including their RFID cards that open doors at the hospital building, he says.

Meanwhile, Swisslog today issued a software update for the firmware, v7.2.5.7, which patches all but one of the vulnerabilities, CVE-2021-37160, the unsigned firmware issue. The vendor for now is providing mitigation steps for that vulnerability.

To read the complete article, visit Dark Reading.