Security News > 2021 > August > Critical vulnerabilities may allow attackers to compromise hospitals’ pneumatic tube system
Armis researchers have unearthed critical vulnerabilities in Swisslog Healthcare's Translogic pneumatic tube system, which plays a crucial role in patient care in more than 3,000 hospitals worldwide.
Attackers exploiting the vulnerabilities could gain complete control over the PTS network, negatively affect the functioning of the system and damage sensitive materials, compromise sensitive information, and interfere with the hospitals' workflows.
Their own research uncovered nine vulnerabilities affecting the Translogic Nexus Control Panel, which powers all current models of Translogic pneumatic tube system stations.
These include hardcoded passwords of user and root accounts, a privilege escalation vulnerability that could be exploited to gain root access, memory corruption vulnerabilities that could be used to achieve RCE and mount DoS attacks, a separate DoS vulnerability, and design flaws that allow unencrypted, unauthenticated and unsigned firmware updates on the Nexus Control Panel.
"The most severe of the discovered vulnerabilities can allow an attacker to maintain persistence on compromised PTS stations via their unsecure firmware upgrade procedure, allowing him to hold the stations hostage, until a ransom is paid," the researchers noted.
Other vulnerabilities may allow the attacker to manipulate the system to damage sensitive items transported through it, redirect them to incorrect stations, access staff records and their RFID credentials, trigger false alerts to the sytem's maintenance crew, and more.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/eHpBqX2s5EM/
Related news
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical vulnerabilities persist in high-risk sectors (source)
- Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities (source)
- CISA Adds Critical Flaw in BeyondTrust Software to Exploited Vulnerabilities List (source)