Vyaire Medical CareFusion Utility Upgraded

Tuesday, February 6, 2018 @ 02:02 PM gHale


There is an uncontrolled search path element vulnerability in Vyaire Medical’s CareFusion Upgrade Utility application, according to a report with ICS-CERT.

There is a fix, however, Vyaire Medical is no longer supporting the CareFusion Upgrade Utility v2.0.2.2 and recommends users upgrade to the newer Vyaire Upgrade Utility v2.0.3.0. This updated Upgrade Utility will not install on Windows XP and will require updating the underlying system to Windows 7 or later.

RELATED STORIES
New Firmware for Fuji V-Server VPR
3S-Smart Software Patch Ready
Gemalto Sentinel License Manager
Siemens Clears TeleControl Holes

CareFusion Upgrade Utility used with Windows XP systems, Versions 2.0.2.2 and prior versions suffer from the issue.

Successful exploitation of this vulnerability, discovered by Independent researcher Mark Cross (@xerubus) may allow an attacker to insert a malicious DLL on the target system and run arbitrary code.

Vyaire Medical is a U.S.-based company.

The affected product, CareFusion Upgrade Utility, is designed to upgrade compatible units to the latest software versions. CareFusion Upgrade Utility is deployed across the healthcare and public health sector. Vyaire Medical estimates these products are used primarily in the United States and Europe, with a small percentage in Asia.

A successful exploit of this vulnerability requires the local user to install a crafted DLL on the target machine. The application loads the DLL and gives the attacker access at the same privilege level as the application.

CVE-2018-5457 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.7.

No known public exploits specifically target this vulnerability. This vulnerability is not remotely exploitable. High skill level is needed to exploit.

Vyaire Medical is no longer supporting the CareFusion Upgrade Utility v2.0.2.2 and recommends users upgrade to the newer Vyaire Upgrade Utility v2.0.3.0. This updated Upgrade Utility will not install on Windows XP and will require updating the underlying system to Windows 7 or later.

Vyaire Medical released a Product Security Bulletin.

Click here for the Vyaire Upgrade Utility v2.0.3.0 update.



Leave a Reply

You must be logged in to post a comment.