H-ISAC TLP White Armis Discovers 9 Vulnerabilities in Infrastructure Used by 80% of Major Hospitals in North America

Armis researchers have identified nine critical vulnerabilities in one of the leading providers for pneumatic tube systems (PTS) in North America, the Translogic PTS system developed by Swisslog Healthcare.

This Translogic PTS system is used in over 80% of hospitals in North America and has been installed in over 3,000 hospitals worldwide. PTS systems play a crucial role in patient care and are utilized nearly constantly. Dubbed PwnedPiper by Armis researchers, the vulnerabilities allow for complete takeover of the Translogic NexusControl Panel, which powers all current models of Translogic PTS stations that are actively supported by Swisslog Healthcare. Older models that are not currently supported by Swisslog Healthcare are impacted as well.

The Swisslog PTS system is vital to hospital operations as it automates logistics and the transport of materials throughout the hospital via a network of pneumatic tubes. The system is designed so that hospitals can provide better patient care with automated material transport that includes highly-sensitive materials like lab specimens, blood products, pathology lab tests, medications, and more. Prior to the use of PTS systems, hospitals were required to manually transfer the various items, and today, due to their wide adoption, these systems are vital for proper workflow of hospital operations.

These vulnerabilities can enable an unauthenticated attacker to take over Translogic PTS stations and essentially gain complete control over the PTS network of a target hospital. This type of control could enable sophisticated and worrisome ransomware attacks, as well as allow attackers to leak sensitive hospital information.

A high-level description of the discovered vulnerabilities is listed below. All of the vulnerabilities can be triggered by sending unauthenticated network packets, without any user-interaction.

• A hardcoded password vulnerability of user and root accounts, that can be accessed by login to the Telnet server on the Nexus Control Panel, which is enabled by default, and cannot be turned off by native configuration of the system 
  • CVE-2021-37163 - Two hardcoded passwords accessible through the Telnet server
• A privilege escalation (PE) vulnerability due to a user script being run by root. By using the hardcoded credentials of the user account, through the telnet server, the user can leverage this PE to gain root access.
  • CVE-2021-37167 - User script run by root can be used for PE
• Four memory corruption bugs in the implementation of the TLP20 protocol as used in the Nexus Control Panel, that can lead to remote-code-execution and denial-of-service. The TLP20 protocol is the control protocol for all Translogic stations.
  • CVE-2021-37161 - Underflow in udpRXThread
  • CVE-2021-37162 - Overflow in sccProcessMsg
  • CVE-2021-37165 - Overflow in hmiProcessMsg
  • CVE-2021-37164 - Off-by-three stack overflow in tcpTxThread

• A denial-of-service vulnerability that is a result of the GUI process on the Nexus Control Panel binding a local service on all interfaces, allowing external connections to hijack its connection. This can allow an attacker to mimic the GUI commands versus the low-level process that controls the Nexus Control Panel, effectively accessing all GUI commands through the network.
  • CVE-2021-37166 - GUI socket Denial of Service
• A design flaw in which firmware upgrades on the Nexus Control Panel are unencrypted, unauthenticated and do not require any cryptographic signature. This is the most severe vulnerability, since it can allow an attacker to gain unauthenticated remote code execution by initiating a firmware update procedure while also maintaining persistence on the device.
  • CVE-2021-37160 - Unauthenticated, unencrypted, unsigned firmware upgrade
• Armis reported the vulnerabilities to Swisslog on May 1, 2021 and worked with the developers to create and test a viable patch (v7.2.5.7) for the affected systems, as well as develop alternative mitigation steps for hospitals unable to apply the fix right away.

View the entire report below.