Siemens is readying patches for a number of vulnerabilities in its molecular imaging products, including some where public exploits are available.
Advisories published Thursday by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) indicate that the flaws are remotely exploitable.
“Siemens is preparing updates for the affected products and recommends protecting network access to the Molecular Imaging products with appropriate mechanisms,” ICS-CERT said in its advisory. “It is advised to run the devices in a dedicated network segment and protected IT environment.”
Siemens said its Siemens PET/CT Systems, SPECT/CT Systems, SPECT Systems and SPECT Workplaces/Symbia.net systems for Windows XP and Windows 7 are affected. ICS-CERT said that exploits are available only for the Windows 7 bugs, and that an attacker with relatively low skill level could successfully exploit the vulnerabilities and remotely execute code on the affected devices.
These systems, Siemens said, are used in medical imaging procedures across the healthcare and public health industries worldwide.
Four vulnerabilities affect the Windows 7 versions of the products, all of which are from 2015. One is an improper restriction of operations within the bounds of a memory buffer, which could be exploited using a crafted request sent to an HP Client automation service belonging to the device, as well as another affecting permissions, privileges and access controls on the device. That too is a remote code execution bug that can be exploited through the HP Client. Both vulnerabilities have a CVSS score of 9.8, just shy of the most critical score possible, 10.0.
The remaining vulnerabilities are code injection issues where an attacker can send crafted HTTP requests to the Microsoft IIS webserver over port 80 and 443, and to the HP Client automation service over port 3465. Both of those bugs are also scored 9.8.
The XP bugs include a code injection vulnerability exploitable through a crafted remote procedure call (RPC) sent to the server service of a vulnerable Windows system. The other is an improper restriction of operations within the bounds of a memory buffer where an attacker could run code remotely by sending a crafted HTTP request to the WebDAV service on the Windows server. Both bugs were rated a 9.8 as well, though no public exploits exist, ICS-CERT said.