Skip to main content

Vulnerabilities in Contec Health CMS8000

Five vulnerabilities affect Contec's ICU CCU Vital Signs Patient Monitor

Threat ID:
CC-4170
Threat Severity:
Low
Threat Vector:
Vulnerability
Published:
22 September 2022 11:58 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Five vulnerabilities affect Contec's ICU CCU Vital Signs Patient Monitor

Affected platforms

The following platforms are known to be affected:

Contec Health CMS8000 ICU CCU Vital Signs Patient Monitor

Threat details

Introduction

CISA have released information on five vulnerabilities in Contec Health CMS8000, a Vital Signs Patient Monitor system in CCU and ICU environments. Successful exploitation of these vulnerabilities could allow a threat actor to cause a denial-of-service condition, modify firmware with physical access to the device, access a root shell, or employ hard-coded credentials to make configuration changes.

Vulnerabilities

Level Nine reported these vulnerabilities to CISA. Contec Health has not responded to requests to work with CISA to mitigate these vulnerabilities.

  • CVE-2022-36385 - IMPROPER ACCESS CONTROLS - CWE-284

An attacker with momentary access to the device can plug in a USB drive and perform a malicious firmware update, resulting in permanent changes to device functionality. No authentication or controls are in place to prevent an attacker from maliciously modifying firmware and performing a drive-by attack to load the firmware on any CMS8000 device. A CVSS v3 base score of 6.8 has been calculated.

  • CVE-2022-38100 - UNCONTROLLED RESOURCE CONSUMPTION - CWE-400

The CMS800 device fails while attempting to parse malformed network data sent by an attacker. An attacker with network access can remotely issue a specially formatted UDP request that will cause the entire device to crash and require a physical reboot. A UDP broadcast request could be sent that causes a mass denial-of-service attack on all CME8000 devices connected to the same network. A CVSS v3 base score of 7.5 has been calculated.

  • CVE-2022-38069 - USE OF HARD-CODED CREDENTIALS - CWE-798

Multiple globally default credentials exist across all CMS8000 devices, that once exposed, allow an attacker with momentary physical access to gain privileged access to any device. Privileged credential access enables the extraction of sensitive patient information or modification of device parameters. A CVSS v3 base score of 4.3 has been calculated.

  • CVE-2022-38453 - ACTIVE DEBUG CODE - CWE-489

Multiple binary application files on the CMS8000 device are compiled with 'not stripped' and 'debug_info' compilation settings. These compiler settings greatly decrease the level of effort for an attacker to reverse engineer sensitive code and identify additional vulnerabilities. A CVSS v3 base score of 3.0 has been calculated.

  • CVE-2022-3027 - IMPROPER ACCESS CONTROL - CWE-284

The CMS8000 device does not properly control or sanitize the SSID name of a new Wi-Fi access point. An attacker could create an SSID with a malicious name, including non-standard characters that, when the device attempts connecting to the malicious SSID, the device can be exploited to write arbitrary files or display incorrect information. A CVSS v3 base score of 5.7 has been calculated.

Remediation advice

Affected organisations are encouraged to read CISA Medical Advisory ICSMA-22-244-01 and to contact Contec Health for more information regarding these vulnerabilities.

The following mitigations could assist in reducing the risk for exploitation of vulnerabilities:

  • Disabling UART functionality at the CPU level
  • Enforcing unique device authentication before granting access to the terminal / bootloader
  • Where possible, enforcing secure boot. 
  • Tamper stickers on the device casing to indicate when a device has been opened

CISA recommends users take defensive measures to minimise the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Secure physical access.
  • Minimise network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs), recognising VPNs may have vulnerabilities and should be updated to the most current version available. Also recognise VPN is only as secure as its connected devices.

CISA reminds organisations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CVE Vulnerabilities

Status Published

CVE-2022-36385

A threat actor with momentary access to the device can plug in a USB drive and perform a malicious firmware update, resulting in permanent changes to device functionality. No authentication or controls are in place to prevent a threat actor from maliciously modifying firmware and performing a drive-by attack to load the firmware on any CMS8000 device.
Status Published

CVE-2022-38100

The CMS800 device fails while attempting to parse malformed network data sent by a threat actor. A threat actor with network access can remotely issue a specially formatted UDP request that will cause the entire device to crash and require a physical reboot. A UDP broadcast request could be sent that causes a mass denial-of-service attack on all CME8000 devices connected to the same network.
Status Published

CVE-2022-38069

Multiple globally default credentials exist across all CMS8000 devices, that once exposed, allow a threat actor with momentary physical access to gain privileged access to any device. Privileged credential access enables the extraction of sensitive patient information or modification of device parameters
Status Published

CVE-2022-38453

Multiple binary application files on the CMS8000 device are compiled with 'not stripped' and 'debug_info' compilation settings. These compiler settings greatly decrease the level of effort for a threat actor to reverse engineer sensitive code and identify additional vulnerabilities.
Status Published

CVE-2022-3027

The CMS8000 device does not properly control or sanitize the SSID name of a new Wi-Fi access point. A threat actor could create an SSID with a malicious name, including non-standard characters that, when the device attempts connecting to the malicious SSID, the device can be exploited to write arbitrary files or display incorrect information.

Last edited: 28 September 2022 3:18 pm