Five vulnerabilities were found in CMS8000 CONTEC ICU CCU Vital Signs Patient Monitor of Contec Health. A threat actor could exploit the vulnerabilities to carry out a denial-of-service attack, gain access to a root shell, change configurations, alter firmware, and make the monitor show wrong information.
The Cybersecurity and Infrastructure Security Agency (CISA) has released a security alert regarding the vulnerabilities, however, Contec Health failed to reply to its requests. Therefore, healthcare companies that utilize the impacted monitors must get in touch with Contec Health directly for details on how to deal with the vulnerabilities.
CVE-2022-38100 is the most critical vulnerability with a CVSS v3 severity rating of 7.5. A threat actor can exploit the vulnerability remotely if with access to the system. Vulnerability exploitation can result in the failure of the device. It’s possible to exploit the vulnerability by sending to the device
malformed network information through a specific format of UDP request. The device will crash and will need to reboot. The attack may be done at the same time on all vulnerable units linked to the system in a huge denial-of-service attack.
The device has poor access controls that could be taken advantage of by an attacker who has physical access to the unit. The attacker can plug in a USB device and upload malicious firmware to permanently modify the operation of the device. There is no authentication necessary to execute the firmware update. The vulnerability is monitored as CVE-2022-36385 with a CVSS severity rating of 6.8.
The device doesn’t appropriately sanitize the SSID name of a new Wi-Fi access point – CVE-2022-3027. When an SSID having a malicious name is made, like one not having standard characters, if the device tries to link to the Wi-Fi access point, the vulnerability can be taken advantage of to create files on the device and make the device show the wrong data. The vulnerability has been assigned a CVSS severity score of 5.7.
The device has got hard-coded information, which could enable a threat actor having physical access to the unit to acquire privileged access and swipe patient data, and alter the device variables. The vulnerability is monitored as CVE-2022-38069 with a CVSS severity rating of 4.3. Active debug code was not removed – CVE-2022-38453 – making it less difficult for a threat actor to duplicate sensitive code and discover more vulnerabilities.
The subsequent steps are suggested to minimize the risk of vulnerabilities exploitation:
- Turn off the UART features at the CPU level
- Implement unique device authentication prior to giving terminal/bootloader access
- Wherever possible, implement a secure boot.
- Put tamper stickers on the device casing to khow if a device was opened
Users must additionally limit access to the devices, reduce network exposure, put the devices behind firewalls, and utilize a secure way to link to the device when remote access is needed, like a VPN.
Researchers at Level Nine discovered the vulnerabilities.