CISA Warns About Siemens, Philips Medical Device FlawsVulnerabilities Identified in Siemens' Nucleus RTOS, Philips MRI Products
Federal authorities this week issued alerts about security vulnerabilities identified in medical device products from two manufacturers, Siemens and Philips. Both companies also issued their own advisories related to the issues.
The advisories, all issued Tuesday, concern 13 security flaws in the TCP/IP stack and related services of Siemens' Nucleus Real-Time Operating System and three vulnerabilities in certain Philips MRI products.
Siemens Nucleus RTOS Flaws
Siemens' Nucleus RTOS is a component in some medical devices, such as anesthesia machines and patient monitors, as well as some industrial systems used in other industries, according to a report issued this week by security firms Forescout Research Labs and Medigate.
Researchers at the two companies identified the vulnerabilities in the Siemens products and reported them to CISA, which issued an advisory.
The Siemens product vulnerabilities, which Forescout and Medigate have dubbed "Nucleus:13," were found in the TCP/IP stack and related services - including FTP and TFTP - of the networking component, Nucleus NET, of the Nucleus RTOS, CISA says.
The vulnerabilities, with scores ranging from CVSS v3 5.3 to CVSS v3 9.8, include type confusion, improper validation of specified quantity in input, out-of-bounds read, improper restriction of operations within the bounds of a memory buffer, improper null termination, buffer access with incorrect length value, integer underflow, and improper handling of inconsistent structural elements, CISA says.
Collectively, the agency says, the vulnerabilities are exploitable remotely and have low attack complexity.
"Successful exploitation of these vulnerabilities could cause a denial-of-service condition, allow an information leakage, or remote code execution," CISA warns.
Affected Siemens products and versions of the Nucleus RTOS include:
- Capital VSTAR - all versions;
- Nucleus NET - all versions;
- Nucleus ReadyStart v3 - all versions prior to v2017.02.4;
- Nucleus ReadyStart v4 - all versions prior to v4.1.1;
- Nucleus Source Code - all versions.
Siemens in its advisory says it has released updates for several of the affected products, and recommends customers to update to the latest versions.
Where updates are not available, Siemens says it recommends countermeasures including protecting network access to devices with appropriate mechanisms.
"In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following the recommendations in the product manuals," CISA notes.
The types of security vulnerabilities identified in the Siemens products can potentially introduce a number of serious risks to patients that could seriously compromise both their care and their privacy, says healthcare technology attorney Linda Malek, a partner at law firm Moses & Singer LLP.
"Data threat is a risk, as is denial of care by hackers as well as manipulation of or interference with the care that the medical device is intended to address," she says.
"Protecting against and being able to quickly remediate such risks is therefore paramount, particularly as it relates to patient safety."
Philips MRI Vulnerabilities
In its alert, Philips says it reported to CISA three potential low- to medium-severity vulnerabilities affecting certain MRI software solutions, including MRI 1.5T: Version 5.x.x and MRI 3T: Version 5.x.x.
CISA in its advisory notes the vulnerabilities were identified by a Secureworks Adversary Group consultant, who reported the issues to Philips.
The vulnerabilities - with CVSS scores ranging from 4.0 to 6.2 - include improper access control, incorrect ownership assignment for resources, and potential exposure of sensitive information to unauthorized actors, Philips says.
"Successful exploitation of these vulnerabilities may allow an attacker access to execute software, modify system configuration, or view/update files, and export data including patient data to an untrusted environment," CISA notes.
Philips says, to date, it has not received any reports of the exploitation of these vulnerabilities, or incidents from clinical use that the company has been able to associate with the problems.
Philips plans to release a software upgrade that will correct these issues for affected software in the third quarter of 2022, the company says.
As an interim mitigation to these vulnerabilities, the company recommends that users operate all Philips deployed and supported products within Philips authorized specifications, including physical and logical controls.
Philips also recommends that "only allowed personnel" be permitted in the vicinity of the affected products.
If these Siemens or Philips product vulnerabilities are exploited, the patient can be affected and care can be disrupted, says Benjamin Denkers, chief innovation officer at privacy and security consultancy CynergisTek.
"Patient care is the number one priority of healthcare organizations. Having vulnerabilities that leave the door open to threats like ransomware put the patient at risk," he says.
That includes quickly identifying and remediating potential security vulnerabilities during the product design stage, according to Malek.
"Device manufacturers should be proactive in addressing such vulnerabilities so that they, patients and others in the healthcare sector are not forced to be reactive at the post-market stage," she says.
Some considerations include how and whether the device is intended to communicate with other devices, and addressing any vulnerabilities; what data is being collected and whether up-to-date encryption has been implemented; how software will be maintained and updated, whether automatically or through user intervention, she suggests.
"When a security incident occurs, device manufacturers and healthcare providers should be prepared by having a well-developed incident response plan in place," Malek says.
"All staff should be trained on the response plan, communication channels should be well established, and extra devices should be readily available for replacement purposes as necessary."
In addition, it is critical that healthcare organizations understand their ever-evolving asset and threat landscape, Denkers says.
Organizations having "proper visibility across all things IT/OT" allows for a clearer picture, which helps ensure security resiliency, he adds.
"Continually validating that security controls are effective also allows for gaps to quickly be identified and fixed, prior to a potential compromise."