Feds warn of flaws in Siemens molecular imaging systems
[Correction: An earlier version of this article misstated that the flaws affect Siemens MRI and CT scanners. The vulnerabilities are only in the vendor’s SPECT, SPECT/CT, and PET/CT.]
Siemens is preparing patches in a range of its molecular imaging products after the U.S. Department of Homeland Security’s ICS-CERT team found four vulnerabilities in the company’s software for select molecular imaging systems.
All of the discovered vulnerabilities can be publically exploited, allowing a hacker to remotely execute code and potentially compromise or damage the safety of the systems.
Siemens SPECT Workplaces/Symbia.net system, PET/CT Systems, SPECT/CT Systems and SPECT Systems for Windows XP and Windows 7 are all part of the alert. The exploits are found only on Window 7 bugs, but an attack with low-level skills could easily exploit the vulnerabilities.
The flaws are highly critical and ranked 9.8 out of 10 on the Common Vulnerability Scoring System.
One flaw in the built-in web server running on these systems can allow a hacker to execute arbitrary with crafted HTTP requests to Microsoft’s web server on port 80/tcp and port 443/tcp -- this allows code to be injected into the device.
The other three vulnerabilities are part of the HP Client Automation Service software that remotely manages system software. If exploited, a hacker code inject and execute code through the exploit of a memory buffer flaw.
Another attack would allow a hacker to remotely bypass access code and elevate the hacker’s privileges on the network.
“Siemens is preparing updates for the affected products and recommends protecting network access to the Molecular Imaging products with appropriate mechanisms,” officials said in a statement. “It’s advised to run the devices in a dedicated network segment and protected IT environment.”
The devices shouldn’t be reconnected to the network until Siemens delivers patches.
ICS-CERT is also instructing clients with the vulnerable devices to make sure the tools aren’t connected to the internet. Further, healthcare organizations should locate all medical and remote devices behind firewalls and isolate the tools from the network.
“When remote access is required, use secure methods, such as VPNS, recognizing that VPNs may have vulnerabilities and should be updated to the most current version available,” officials said. “Also, recognize that VPN is only as secure as the connected devices.”
The majority of hospital organizations don’t leverage these security protections for medical devices.
“While a lot of newer devices have safeguards built in, organizations can’t replace [older models],” said Kurt Hagerman, CISO of security firm Armor. ”The problem is, they don’t have the money to replace the outdated tools. They have to take a pragmatic approach.”
“The fixes are being implemented, but it’s going to take time for a lot organizations to get through replacing these outdated devices,” he said.