www.bleepingcomputer.com
Open in
urlscan Pro
104.20.60.209
Public Scan
URL:
https://www.bleepingcomputer.com/news/security/pwnedpiper-critical-bug-set-impacts-major-hospitals-in-north-america/
Submission: On August 04 via manual from US
Submission: On August 04 via manual from US
Form analysis 6 forms found in the DOM
https://www.bleepingcomputer.com/search/
<form title="Search site" action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>https://www.bleepingcomputer.com/search/
<form action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" name="EMAIL" aria-label="Enter email address" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="hidden" aria-hidden="true" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" aria-label="Enter email address" name="EMAIL" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="hidden" aria-hidden="true" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=login&do=process&return=https://www.bleepingcomputer.com/news/security/pwnedpiper-critical-bug-set-impacts-major-hospitals-in-north-america/
<form
action="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&do=process&return=https://www.bleepingcomputer.com/news/security/pwnedpiper-critical-bug-set-impacts-major-hospitals-in-north-america/"
method="post">
<div class="bc_form_feild">
<label for="ips_username">Username</label>
<input aria-label="Enter login name" title="Enter login name" type="text" id="ips_username" name="ips_username" autocomplete="username">
</div>
<div class="bc_form_feild">
<label for="ips_password">Password</label>
<input aria-label="Enter login password" title="Enter login passwod" type="password" id="ips_password" name="ips_password" autocomplete="current-password">
</div>
<div class="bc_form_feild">
<div class="bc_remember">
<input id="remember" type="checkbox" name="rememberMe" value="1" checked="checked">
<label for="remember">Remember Me</label>
</div>
<div class="bc_anon">
<input id="anonymous" type="checkbox" name="anonymous" value="1">
<label for="anonymous">Sign in anonymously</label>
</div>
</div>
<div class="bc_btn_wrap">
<input type="hidden" name="auth_key" value="880ea6a14ea49e853634fbdc5015a024">
<input type="submit" aria-label="Login to site" title="Login" value="Login" class="bc_sub_btn">
<a aria-label="Sign in with Twitter" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&serviceClick=twitter&return=https://www.bleepingcomputer.com/news/security/pwnedpiper-critical-bug-set-impacts-major-hospitals-in-north-america/" class="bc_twitter_btn"><img src="https://www.bleepstatic.com/images/site/login/twitter.png" width="28" height="24" alt="Sign in with Twitter button"> Sign in with Twitter</a>
<hr>
<p>Not a member yet? <a aria-label="Register account" title="Register account" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=register">Register Now</a></p>
</div>
</form><form>
<input type="hidden" id="comment-id-report" value="0">
<ul>
<li>
<label><input type="radio" name="comment-report-reason" value="Spam">Spam</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Abusive or Harmful">Abusive or Harmful</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Inappropriate content">Inappropriate content</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Strong language">Strong language</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Other">Other</label>
</li>
<li id="comment-report-other-reason-wrap" style="display:none;">
<textarea aria-label="Enter other reason for reporting the comment" rows="2" cols="2" id="comment-report-other-reason"></textarea>
</li>
</ul>
<p>Read our <a href="https://www.bleepingcomputer.com/posting-guidelines/">posting guidelinese</a> to learn what content is prohibited.</p>
</form>Text Content
*
*
*
*
*
*
* News
* Featured
* Latest
* Windows 11's October 2021 release date hinted in support docs
* Windows PetitPotam attacks can be blocked using new method
* Ransomware attack hits Italy's Lazio region, affects COVID-19 site
* Windows 10 to automatically block potentially unwanted apps
* Windows admins now can block external devices via layered Group Policy
* LockBit ransomware recruiting insiders to breach corporate networks
* INFRA:HALT security bugs impact critical industrial control devices
* New Cobalt Strike bugs allow takedown of attackers’ servers
* Downloads
* Latest
* Most Downloaded
* Qualys BrowserCheck
* STOPDecrypter
* AuroraDecrypter
* FilesLockerDecrypter
* AdwCleaner
* ComboFix
* RKill
* Junkware Removal Tool
* Virus Removal Guides
* Latest
* Most Viewed
* Ransomware
* How to remove the PBlock+ adware browser extension
* Remove the Toksearches.xyz Search Redirect
* Remove the Smashapps.net Search Redirect
* Remove the Smashappsearch.com Search Redirect
* Remove Security Tool and SecurityTool (Uninstall Guide)
* How to remove Antivirus 2009 (Uninstall Instructions)
* How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
* How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using
TDSSKiller
* Locky Ransomware Information, Help Guide, and FAQ
* CryptoLocker Ransomware Information Guide and FAQ
* CryptorBit and HowDecrypt Information Guide and FAQ
* CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
* Tutorials
* Latest
* Popular
* How to make the Start menu full screen in Windows 10
* How to install the Microsoft Visual C++ 2015 Runtime
* How to open an elevated PowerShell Admin prompt in Windows 10
* How to Translate a Web Page in Google Chrome
* How to start Windows in Safe Mode
* How to remove a Trojan, Virus, Worm, or other Malware
* How to show hidden files in Windows 7
* How to see hidden files in Windows
* Deals
* Categories
* eLearning
* IT Certification Courses
* Gear + Gadgets
* Security
* Forums
* More
* Startup Database
* Uninstall Database
* File Database
* Glossary
* Chat on Discord
* Send us a Tip!
* Welcome Guide
* Home
* News
* Security
* PwnedPiper critical bug set impacts major hospitals in North America
* AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to
LinkedInLinkedInShare to RedditRedditShare to Hacker NewsHacker NewsShare to
EmailEmail
*
PWNEDPIPER CRITICAL BUG SET IMPACTS MAJOR HOSPITALS IN NORTH AMERICA
By
IONUT ILASCU
* August 2, 2021
* 06:41 AM
* 0
Pneumatic tube system (PTS) stations used in thousands of hospitals worldwide
are vulnerable to a set of nine critical security issues collectively referred
to as PwnedPiper.
PTS solutions are part of a hospital’s critical infrastructure as they are used
to quickly deliver items like blood, tissue, lab samples, or medication to where
they’re needed.
The flaws are in some of SwissLog’s TransLogic Pneumatic Tube System, an
automated material transport solution for carrying medical items across longer
distances in medium to large hospitals.
PLAY Top Articles Video Settings Full Screen About Connatix V125700 Read More
Read More Read More Read More Read More Read More New Cobalt Strike bugs allow
takedown ofattackers’ servers 1/1 Skip Ad Continue watching after the ad Visit
Advertiser website GO TO PAGE
According to the maker, TransLogic PTS is present in more than 2,300 hospitals
in North America and more than 3,000 units worldwide benefit from 24/7 customer
support.
CRITICAL BUG LEFT UNPATCHED
Research from Armis, a connected device security company, revealed that an
unauthenticated attacker could gain full control over some TransLogic PTS
stations connected to the internet and then take over the entire PTS network of
a target hospital.
Specifically, the company discovered nine critical vulnerabilities in the
firmware powering the Nexus Control Panel for managing “all current models of
Translogic PTS stations.”
While not all the issues could be exploited by a remote attacker, their severity
level remains high, given a PTS' role in a hospital.
Swisslog acknowledged the security issues and says that they impact the HMI-3
circuit board in Nexus Panels connected to the internet. The company notes in an
advisory this weekend that the affected PTS products “are deployed primarily in
hospitals within North America.”
Jennie McQuade, Chief Privacy Officer for Swisslog Healthcare, says that the
security issues are not present unless a mix of variables exists.
"The potential for pneumatic tube stations (where the firmware is deployed) to
be compromised is dependent on a bad actor who has access to the facility’s
information technology network and who could cause additional damage by
leveraging these exploits" - Swisslog
When investigating the code powering the TransLogic PTS, Armis found the
following vulnerabilities:
* CVE-2021-37163: two cases of always-active hardcoded passwords (user and root
accounts), accessible over Telnet
* CVE-2021-37167: privilege escalation; using the hardcoded credentials, an
attacker could run a user script with root privileges
* CVE-2021-37166: denial-of-service (DoS) caused by the GUI process of Nexus
Control Panel binding a local service on all interfaces
Four memory corruption bugs in the control protocol (TLP20) of TransLogic
stations that could lead to remote code execution or at least a
denial–of-service (DoS) condition:
* CVE-2021-37161 - Underflow in udpRXThread
* CVE-2021-37162 - Overflow in sccProcessMsg
* CVE-2021-37165 - Overflow in hmiProcessMsg
* CVE-2021-37164 - Off-by-three stack overflow in tcpTxThread
And the most severe of all:
* CVE-2021-37160: unencrypted, unauthenticated firmware upgrades on the Nexus
Control Panel. An attacker could leverage it to install malicious firmware on
the system, essentially taking full control over it.
All of the these vulnerabilities are collectively dubbed 'PwnedPiper' by the
researchers.
Armis reported the vulnerabilities on May 1 and worked with Swisslog to develop
and test a viable patch (v7.2.5.7), as well as find mitigation steps for
hospitals unable to apply the fix right away.
The current firmware update, however, addresses all but one vulnerability above,
CVE-2021-37160, which is also the most severe of all. Swisslog will fix this,
too, in a future firmware release.
PROTECTING AGAINST PWNEDPIPER VULNERABILITIES
For hospitals that cannot install the latest firmware update for TransLogic PTS
Armis provides the following steps to defend against potential PwnedPiper
attacks:
* Block any use of Telnet (port 23) on the Translogic PTS stations (the Telnet
service is not required in production)
* Deploy access control lists (ACLs), in which Translogic PTS components
(stations, blowerd, diverters, etc.) are only allowed to communicate with the
Translogic central server (SCC).
* Use the following Snort IDS rule to detect exploitation attempts of
CVE-2021-37161, CVE-2021-37162 and CVE-2021-37165:
alert udp any any -> any 12345 (msg:"PROTOCOL-OTHER Pwned piper exploitation attempt,
Too small and malformed Translogic packet"; dsize:
* Use the following Snort IDS rule to detect exploitation attempts of
CVE-2021-37164:
alert udp any any -> any 12345 (msg:"PROTOCOL-OTHER Pwned piper exploitation attempt,
Too large and malformed Translogic packet";dsize:>350; content:"TLPU";
depth:4; reference:cve,2021-37164; reference:url,https://www.armis.com/pwnedPiper; sid:9800001;)
Armis researchers Barak Hadad and Ben Seri explain the bugs in a technical paper
and how a local or remote attacker could exploit them. They will also present
the findings this week at the Black Hat security conference.
RELATED ARTICLES:
UC San Diego Health discloses data breach after phishing attack
Microsoft finds Netgear router bugs enabling corporate breaches
Network security firm COO charged with medical center cyberattack
UF Health Florida hospitals back to pen and paper after cyberattack
* Firmware
* Health Care
* Hospital
* PwnedPiper
* Facebook
* Twitter
* LinkedIn
* Email
*
IONUT ILASCU
Ionut Ilascu is a technology writer with a focus on all things cybersecurity.
The topics he writes about include malware, vulnerabilities, exploits and
security defenses, as well as research and innovation in information security.
His work has been published by Bitdefender, Netgear, The Security Ledger and
Softpedia.
* Previous Article
* Next Article
POST A COMMENT COMMUNITY RULES
YOU NEED TO LOGIN IN ORDER TO POST A COMMENT
Not a member yet? Register Now
YOU MAY ALSO LIKE:
Popular Stories
* Empty npm package '-' has over 700,000 downloads — here's why
* Google Chrome to no longer show secure website indicators
NEWSLETTER SIGN UP
To receive periodic updates and news from BleepingComputer, please use the form
below.
NEWSLETTER SIGN UP
* Follow us:
*
*
*
*
MAIN SECTIONS
* News
* Downloads
* Virus Removal Guides
* Tutorials
* Startup Database
* Uninstall Database
* File Database
* Glossary
COMMUNITY
* Forums
* Forum Rules
* Chat
USEFUL RESOURCES
* Welcome Guide
* Sitemap
COMPANY
* About BleepingComputer
* Contact Us
* Send us a Tip!
* Advertising
* Write for BleepingComputer
* Social & Feeds
* Changelog
Terms of Use - Privacy Policy - Ethics Statement
Copyright @ 2003 - 2021 Bleeping Computer® LLC - All Rights Reserved
LOGIN
Username
Password
Remember Me
Sign in anonymously
Sign in with Twitter
--------------------------------------------------------------------------------
Not a member yet? Register Now
REPORTER
HELP US UNDERSTAND THE PROBLEM. WHAT IS GOING ON WITH THIS COMMENT?
* Spam
* Abusive or Harmful
* Inappropriate content
* Strong language
* Other
*
Read our posting guidelinese to learn what content is prohibited.
Submitting...
SUBMIT