Armis Security researchers found 11 vulnerabilities in the Interpeak IPnet TCP/IP Stack, which is a third-party software part utilized in some medical devices and hospital networks.
The DHS Cybersecurity and Infrastructure Security Agency (CISA) received a report about the vulnerabilities and issued an ICS Medical Advisory and a Food and Drug Administration (FDA) Safety Communication to warn patients, healthcare organizations, facility personnel and manufacturers regarding the vulnerabilities.
The FDA advisory – referred to as URGENT/11 – describes the vulnerabilities as remotely exploitable and may allow the attacker to have full control of a vulnerable device. It allows an attacker to change device functions, access sensitive data, set off denial of service attack or logical flaws to make the device stop functioning.
Although there was no report of exploitation of the flaws in the wild, FDA issued a warning that the software needed to take advantage of the vulnerability is freely accessible.
Interpeak IPnet TCP/IP Stack is used in network connections between computers. The original developer no longer supports this item, but a number of device manufacturers are still approved to use the product in their software programs, systems, and devices even without the developer’s support.
The FDA alert mentioned that the vulnerable software component is still actively used in certain versions of the operating systems listed below:
- VxWorks (by Wind River)
- INTEGRITY (by Green Hills)
- Operating System Embedded (OSE) (by ENEA)
- ThreadX (by Microsoft)
- ZebOS (by IP Infusion)
- ITRON (by TRON Forum)
Selected Beckton Dickinson (BD), Philips Healthcare, Drager, GE Healthcare, and Spacelabs items are likewise impacted by the vulnerabilities. All of these businesses have issued security advisories regarding the affected devices.
WindRiver retains the IPnet license and has issued patches to offset the vulnerabilities. If there’s no way to upgrade the OSE to the most current version, there are other mitigating steps that could be carried out to minimize the chance of exploitation. Get in touch with WindRiver for information on potential compensating controls.
The vulnerabilities are further explained in the ICS-CERT Medical Advisory (ICSMA-19-274-01). There are recommendations released by FDA for healthcare companies, healthcare facility personnel, device manufacturers, patients, and caregivers, that could be found on this link.
It is recommended that healthcare companies should work together with their device vendors to find out which units are vulnerable and know the necessary steps to keep the devices secure. Healthcare companies must also inform patients who are using vulnerable devices to report any noticeable functional or operational changes with their medical devices immediately.
Of the 11 identified vulnerabilities, 9 are categorized as high severity having a CVSS v3 rating of 7.0 to 10, three have a CVSS v3 rating of 9.8. Listed are the CVE numbers in order of severity: