PwnedPiper Threatens Thousands of Hospitals Around the World

Cybersecurity experts discovered critical security vulnerabilities in widely used hospital tube systems

New critical vulnerabilities in hospital pneumatic tube software allow threat actors to take control of systems and launch massive attacks that can disrupt or even shut down healthcare operations, according to Tech Republic. 

The Nexus Control Panel software is used to control Swisslog Healthcare's Translogic pneumatic tube systems (PTS) in more than 3,000 hospitals worldwide. Armis cybersecurity researchers uncovered 9 critical vulnerabilities that, if properly exploited, could lead to a complete shutdown of hospital operations. Tube systems are used for transporting blood, delivering medication, and shipping lab samples throughout buildings that would take too long to do on foot.

According to Armis, although PTS are often connected to the Internet, the security of these systems has never been considered a problem.

The following are the nine critical vulnerabilities: 

CVE-2021-37160 - Unauthenticated, unsigned, unencrypted firmware upgrade

CVE-2021-37166 - GUI socket Denial Of Service

CVE-2021-37165 - TLP2 implementation memory corruption flaw (Overflow in hmiProcessMsg)

CVE-2021-37162 - TLP2 implementation memory corruption flaw (Overflow in sccProcessMsg)

CVE-2021-37164 - TLP2 implementation memory corruption flaw (Off-by-three stack overflow in tcpTxThread)

CVE-2021-37163 - Two hardcoded passwords accessible via the Nexus Control Panel's Telnet server

CVE-2021-37167 - Vulnerability related to root running a user script

CVE-2021-37161 - TLP2 implementation memory corruption flaw (Underflow in udpRXThread)

An attacker could exploit the vulnerabilities to gain access to a hospital network and take over Nexus stations by exploiting remote code execution. Once a Nexus station is hacked, it can be used to gather information about hospital employees and IT systems, as well as network layouts that can be used to penetrate deeper into the network and launch ransomware attacks.

Following the discovery of the Nexus PTS control software vulnerability at the beginning of May 2021, Armis worked with Swisslog to ensure updates were provided and clients were properly informed. Swisslog has issued a security advisory and plans to issue a patch for the vulnerabilities on August 2.

As the business claims, the latest patch (v7.2.5.7) should fix all vulnerabilities that have been reported except for the unsigned firmware update vulnerability (CVE-2021-37160), that will be handled in a future release.