Press "Enter" to skip to content

Siemens Software Vulnerabilities Issues by CISA

This week, the US Cybersecurity and Infrastructure Security Agency issued an advisory about critical vulnerabilities in medical device software. The group of 13 new vulnerabilities affects Siemens’ Nucleus TCP/IP stack, according to a blog post from Forescout Research Labs. Remote code execution, denial of service, and information leak are all possible consequences of the issues. However, the team at Forescout, which discovered the flaws with the help of Medigate Labs, described it as “notoriously tough” to figure out where the code could be found.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures,” the alert said. Despite this, they discovered 2,233 susceptible Nucleus devices in the healthcare industry, which Siemens acquired in 2017. Anesthesia equipment, patient monitors, and other “safety-critical” devices are among those affected, according to Forescout.

The severity of the vulnerabilities varies, with the most serious receiving a CVSS score of 9.8 out of 10. According to Forescout, this vulnerability could lead to denial-of-service and remote code execution. In addition, according to CNN’s coverage of the findings, Forescout researchers could utilize one weakness to turn off the lights and HVAC system in a simulated patient room using a building automation system used in hospitals.

According to CISA, there are no publicly available exploits that directly target these flaws. All of them have been patched by Siemens. To address the issues, Forescout suggested a mitigation technique for network operators. Cisco, GE Healthcare, and Philips are among the significant device manufacturers who have issued statements in response to the findings. During the COVID-19 pandemic, medical device security has become more critical when remote patient monitoring and telehealth have enlarged hospitals’ network endpoints.

Be First to Comment

Leave a Reply

Your email address will not be published.