9 critical vulnerabilities affect Pneumatic tube system stations used in hospitals worldwide

A set of 9 critical vulnerabilities in pneumatic tube system (PTS) stations could put critical operations in hospitals around the world at risk. These faults, identified as PwnedPiper, reside in this critical infrastructure and are responsible for handling blood, tissues and laboratory samples, so an attack could prove disastrous.

To be precise, these vulnerabilities reside in SwissLog’s TransLogic solutions and serve for the transport of sensitive clinical material over long distances in hospitals with an updated infrastructure.

The report by security firm Armis notes that unauthenticated threat actors could gain full control over some Internet-connected TransLogic PTS stations and then take full control of the network at the affected hospital. As mentioned at the beginning, the company detected a total of 9 security flaws in the firmware that powers the Nexus control panel for the management of TransLogic PTS devices.

Not all flaws detected can be exploited remotely, although because the faults reside in hospital infrastructure this is considered a critical safety risk. The report was sent to the manufacturers, so Swisslog has confirmed that the security issues exist and reside on the HMI-3 circuit board on the Nexus panels displayed on the Internet.

In a later statement, Swisslog’s chief privacy officer Jennie McQuade confirmed that the flaws only exist and are exploitable under specific circumstances: “The likelihood that these implementations will be compromised depend on threat actors having access to the affected network, this would allow the abuse of other flaws and subsequent issues.”

Below are the 9 security flaws found by the researchers:

  • CVE-2021-37163: Two always-active hardcoded passwords accessible over Telnet
  • CVE-2021-37167: Privilege escalation flaw using the hardcoded credentials
  • CVE-2021-37166: Denial of service (DoS) flaw caused by the GUI process of Nexus Control Panel
  • CVE-2021-37161: Underflow in udpRXThread
  • CVE-2021-37162: Overflow in sccProcessMsg
  • CVE-2021-37165: Overflow in hmiProcessMsg
  • CVE-2021-37164: Off-by-three stack overflow in tcpTxThread
  • CVE-2021-37160: unencrypted, unauthenticated firmware upgrades on the Nexus Control Panel

Of all the reported flaws, CVE-2021-37160 is considered the most dangerous, as its successful exploitation would allow hackers to install a malicious version of the firmware and take control of the entire affected system.

Further details about flaws, security patches or operating methods are unknown at the moment, so affected users are advised to stay abreast of any new information published by the manufacturer.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.