5 Top Critical Vulnerabilities In Need of Patch, Software Update

September 04, 2020 - The healthcare sector has remained a crucial target for hackers over the course of the last five years. But despite a heavy reliance upon legacy technologies, industry stakeholders have repeatedly warned that many providers continue to struggle to patch known flaws in a timely manner. 

Many patch management challenges exist in healthcare given the extreme number of devices providers rely upon for daily operations and patient care. Security researchers have shared multiple case studies of providers learning that their estimates of devices connected to the network are often drastically lower than the actual amount.

These challenges have only been heightened amid the COVID-19 response, with threat actors working to exploit the expansion of remote work and telehealth, as well as pandemic fears for their financial gain. Many threat actors are attacking known vulnerabilities to gain a foothold into enterprise networks, often leveraging stolen credentials and brute-force attacks on vulnerable endpoints. 

In light of these attacks, healthcare’s security leaders should review their device inventories to ensure accuracy and then confer with their vendors to verify they’ve applied all security updates.

With that in mind, HealthITSecurity.com has compiled some of the most critical vulnerabilities disclosed in the last six months in need of urgent attention. By no means is this an exhaustive list.

Microsoft Windows 10 Server Message Block 3.1.1 (SMBv3) 

READ MORE: IBM: Remote Exploit Flaw Found in Millions of Connected IoT Devices

In early March, DHS CISA urged organizations across all sectors to review a Microsoft advisory about a critical vulnerability found in the Server Message Block 3.1.1 (SMBv3) of all Windows 10 platforms and Server versions 1903 and 1909. Legacy platforms were not impacted as the flaw exists in a new feature found in Windows 10 versions. 

The CVE-2020-0796 vulnerability was inadvertently disclosed by the tech giant without a software update and the patch was provided two days later. 

The remote code execution exists in the way the SMB protocol handles some requests. If a hacker successfully exploits the flaw, they would be able to execute arbitrary code on the target server or SMB client. Reports have found the flaw to be wormable, much like the 2017 WannaCry cyberattacks. 

Despite the severity of the flaw, DHS CISA warned in June that hackers were successfully exploiting the flaw in organizations that had failed to apply the provided patch. A functional, publicly available POC is able to exploit the vulnerability, which hackers are using to target exposed systems. 

Officials urged organizations to not just apply the provided patch to CVE-2020-0796, but ensure all provided software updates have been applied to any known vulnerabilities. 

Bluetooth Low Energy Flaws in Various Medical Devices

READ MORE: Researchers Find More Devices, Vendors Vulnerable to Ripple20

The Food and Drug Administration alerted to a series of Bluetooth Low Energy (BLE) flaws in March, use in a range of products designed by several microchip manufacturers, such as Texas Instruments, NXP, Cypress, Dialog Semiconductors, and others, which are used in various medical devices. 

A successful exploit would allow an attacker to remotely crash a device or access its data. Dubbed SweynTooth, the flaw could enable a device crash, stop its function, or access internal functions typically only available to an authorized user. 

What’s worse is that the vulnerability is installed in medical devices worn by or implanted in patients, as well as patient monitors, wearable IoT products, electrocardiograms, and a host of other devices that could impact patient safety. 

Medical device manufacturers have been reviewing what devices could be impacted by SweynTooth, as well as potential remediation recommendations. Some manufacturers have also created software updates to remediate the flaw.

Ripple20 Flaws Found in IoT Medical Devices

Researchers from JSOF reported on a group of 19 vulnerabilities in June dubbed Ripple20, which impact hundreds of millions of connected devices – including a host of IoT medical devices. 

READ MORE: Reports Finds IoT Devices Host Social Media Apps, FDA-Recalled Platforms

Found in the widely used TCP/IP communication stack and software library developed by Treck, Ripple20 includes multiple remote code execution flaws. 

The majority of the vulnerabilities are caused by bugs memory management, and “historically related KASAGO TCP/IP middleware from Zuken Elmic (formerly Elmic Systems) is also affected by some of these vulnerabilities.” 

If exploited, a hacker could perform a range of malicious activities, including data theft and interrupting the device function. Four of the 19 vulnerabilities were ranked critical, two were listed at the highest severity, and two were ranked 9.0 out of 10. One flaw could cause an information leak. 

The complete impact of the flaw is still unknown, as some of the impacted vendors also deploy software based on the Treck design. 

“The interesting thing about Ripple20 is the incredible extent of its impact, magnified by the supply chain factor,” researchers explained, at the time. “The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain “‘ripple-effect.’” 

“A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people,” they added. 

Following the report, security researchers told HealthITSecurity.com that the healthcare sector is the most impacted by Ripple20 flaws with more than 52,000 medical device models employing the Treck technology. Given that the software updates will likely come in waves, patch management of the flaw will be time-consuming. 

Virtual Private Network (VPN) Vulnerabilities

In 2019, DHS CISA alerted to vulnerabilities found in a range of VPN products of various vendors, including Pulse Secure, FortiGuard, and Palo Alto Networks. An exploit would allow for remote code execution. 

All of the vendors released software updates, but in January 2020, the agency reported many organizations had failed to apply the provided patches. 

As a result, hackers were actively targeting and exploiting the flaws to take control over the vulnerable systems, which allowed for remote cyberattacks. As the COVID-19 pandemic has fueled the expansion of telehealth, remote patient care, and telework, VPN usage has skyrocketed – and the risk has followed suit.  

Further adding to the risk, hackers leaked more than 900 enterprise VPN server passwords on the dark web in plain text, while DHS CISA warned that even patched VPNs were continuing to be exploited on  systems with weak password management. 

Baxter, BD Alaris, and Biotronik Medical Device Flaws

DHS CISA urged organizations to apply software updates or other remediation efforts to six serious vulnerabilities found in several Baxter and Biotronik medical devices that could enable an attacker to deploy a DDoS attack or alter system configurations and device data, while compromising patient data. 

Four of the flaws exist in Baxter’s ExactaMix, PrismaFlex and PrimsaMax, Sigma Spectrum Infusion Pumps, and Hemodialysis Delivery System, which the vendor reported to CISA. The devices transmit sensitive data in cleartext, while flaws exist in hard-coded passwords and authentication. 

The vulnerability in the BD Alaris PCU infusion pump would also enable a hacker to launch a DDoS attack and disconnect the device from the enterprise wireless network. Meanwhile, flaws in Biotronik CardioMessenger II devices, include a lack of encryption of sensitive data, stored passwords in a recoverable format, improper authentication, and sensitive data transmitted in cleartext. 

Software updates for some of these flaws are still pending, but the vendors have all provided remediation methods.