Roche Clears Multiple Point of Care Holes

Tuesday, November 6, 2018 @ 03:11 PM gHale

Roche has mitigation procedures to handle multiple vulnerabilities in its Point of Care handheld medical devices, according to a report with NCCIC.

The vulnerabilities are an improper authentication, OS command injection, unrestricted upload of file with dangerous type and an improper access control.

RELATED STORIES
Fr. Sauter Fix for CASE Suite
Charging Station Vulnerability Cleared
Schneider Updates SESU
InduSoft Web Studio, InTouch Holes Fixed

Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to modify system settings or execute arbitrary code. The vulnerabilities are exploitable with adjacent access.

The following versions of Roche’s Point of Care handheld medical devices suffer from the vulnerability, discovered by Niv Yehezkel of Medigate:
• Accu-Chek Inform II
• CoaguChek Pro II
• CoaguChek XS Plus
• CoaguChek XS Pro
• cobas h 232 POC
• Including the related base units (BU), base unit hubs and handheld base units (HBU).

The following are Accu-Chek Units not affected by the issues:
• Accu-Chek Inform II Base Unit Light
• Accu-Chek Inform II Base Unit NEW with Software 04.00.00 or newer

In one vulnerability, weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface.

CVE-2018-18561 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

Affected products:
• Accu-Chek Inform II Base Unit / Base Unit Hub – all versions before 03.01.04
• CoaguChek / cobas h232 Handheld Base Unit – all versions before 03.01.04

In addition, insecure permissions in a service interface may allow authenticated attackers in the adjacent network to execute arbitrary commands on the operating systems.

CVE-2018-18562 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.0.

Affected products:
• Accu-Chek Inform II Base Unit / Base Unit Hub – all versions before 03.01.04
• CoaguChek / cobas h232 Handheld Base Unit – all versions before 03.01.04

Also, a vulnerability in the software update mechanism allows an attacker in adjacent network to overwrite arbitrary files on the system through a crafted update package.

CVE-2018-18563 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.0.

Affected products:
• Accu-Chek Inform II Instrument – all versions before 03.06.00 (serial number below 14000) / 04.03.00 (serial Number above 14000)
• CoaguChek Pro II – all versions before 04.03.00
• CoaguChek XS Plus – all versions before 03.01.06
• CoaguChek XS Pro – all versions before 03.01.06
• cobas h 232 – all versions before 03.01.03 (serial number below KQ0400000 or KS0400000)
• cobas h 232 – all versions before 04.00.04 (serial number above KQ0400000 or KS0400000)

In another vulnerability, improper access control to a service command allows attackers in the adjacent network to execute arbitrary code on the system through a crafted message.

CVE-2018-18564 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.3.

Affected Products:
• Accu-Chek Inform II Instrument – all versions before 03.06.00 (Serial number below 14000) / 04.03.00 (Serial Number above 14000)
• CoaguChek Pro II – all versions before 04.03.00
• cobas h 232 – all versions before 04.00.04 (Serial number above KQ0400000 or KS0400000)

In addition, improper access control allows attackers in the adjacent network to change the instrument configuration.

CVE-2018-18565 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.2.

Affected products:
• Accu-Chek Inform II Instrument – all versions before 03.06.00 (Serial number below 14000) / 04.03.00 (Serial Number above 14000)
• CoaguChek Pro II – all versions before 04.03.00
• CoaguChek XS Plus – all versions before 03.01.06
• CoaguChek XS Pro – all versions before 03.01.06
• cobas h 232 – all versions before 03.01.03 (Serial number below KQ0400000 or KS0400000)
• cobas h 232 – all versions before 04.00.04 (Serial number above KQ0400000 or KS0400000)

The product sees use mainly in the healthcare and public health sectors. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Roche recommends the following mitigation procedures for connected devices (Ethernet and Wi-Fi):
• Restrict network and physical access to the device and attached infrastructure by enabling the device security features
• Protect connected endpoints from unauthorized access, theft, and malicious software
• Monitor the system and network infrastructure for suspicious activity and report a suspected compromise according to local policy

For non-connected devices:
• Protect from unauthorized access, theft and manipulation

For all affected products, Roche Diagnostic scheduled release of new software updates with availability beginning this month.

For further information or concerns, contact a local Roche Diagnostics office.



Leave a Reply

You must be logged in to post a comment.