VDB-9140 · OSVDB 94230 · GCVE-100-9140

Medical Devices Authentication Hardcoded Credential improper authentication

CVSS Meta Temp Score
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
Current Exploit Price (≈)
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
CTI Interest Score
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
9.0$0-$5k0.00

Summaryinfo

A vulnerability described as critical has been identified in Medical Devices. Affected is an unknown function of the component Authentication. Such manipulation as part of Hardcoded Credential leads to improper authentication. Furthermore, an exploit is available. This vulnerability is historically impactful due to its background and the reception it garnered.

Detailsinfo

A vulnerability was found in Medical Devices (Medical Device Software) and classified as very critical. Affected by this issue is an unknown code block of the component Authentication. The manipulation as part of a Hardcoded Credential leads to a improper authentication vulnerability. Using CWE to declare the problem leads to CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. Impacted is confidentiality, integrity, and availability.

The weakness was published 06/13/2013 by Billy Rios and Terry McCorkle with Cylance Inc. as ICS-ALERT-13-164-01 - Medical Devices Hard-Coded Passwords as not defined advisory (Website). The advisory is shared for download at ics-cert.us-cert.gov. The public release has been coordinated with the vendor. The advisory contains:

Because of the critical and unique status that medical devices occupy, ICS-CERT has been working in close cooperation with the Food and Drug Administration (FDA) in addressing these issues. ICS-CERT and the FDA have notified the affected vendors of the report and have asked the vendors to confirm the vulnerability and identify specific mitigations. ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks. ICS-CERT and the FDA will follow up with specific advisories and information as appropriate.
The attack may be launched remotely. No form of authentication is required for exploitation. Technical details are unknown but a private exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 03/19/2019). This vulnerability has a historic impact due to its background and reception. The advisory points out:
Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. According to their report, the vulnerability could be exploited to potentially change critical settings and/or modify device firmware.

A private exploit has been developed by Billy Rios/Terry McCorkle. It is declared as proof-of-concept. As 0-day the estimated underground price was around $5k-$25k.

Addressing this vulnerability is possible by firewalling 0-65535 (any). The advisory contains the following remark:

Take steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks. Appropriate security controls may include: user authentication, for example, user ID and password, smartcard or biometric; strengthening password protection by avoiding hard?coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards. Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity. Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as "fail-safe modes." Provide methods for retention and recovery after an incident where security has been compromised. Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery.

The vulnerability is also documented in the vulnerability database at OSVDB (94230†). fda.gov is providing further details. Once again VulDB remains the best source for vulnerability data.

Affected

  • Surgical/anesthesia devices
  • Ventilators
  • Drug infusion pumps
  • External defibrillators
  • Patient monitors
  • Laboratory/analysis equipment

Productinfo

Type

Name

CPE 2.3info

CPE 2.2info

CVSSv4info

VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv3info

VulDB Meta Base Score: 9.8
VulDB Meta Temp Score: 9.0

VulDB Base Score: 9.8
VulDB Temp Score: 9.0
VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv2info

AVACAuCIA
💳💳💳💳💳💳
💳💳💳💳💳💳
💳💳💳💳💳💳
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍

Exploitinginfo

Class: Improper authentication
CWE: CWE-287
CAPEC: 🔍
ATT&CK: 🔍

Physical: No
Local: No
Remote: Yes

Availability: 🔍
Access: Private
Status: Proof-of-Concept
Author: Billy Rios/Terry McCorkle
Price Prediction: 🔍
Current Price Estimation: 🔍

0-DayUnlockUnlockUnlockUnlock
TodayUnlockUnlockUnlockUnlock

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: no mitigation known
Status: 🔍

0-Day Time: 🔍

Firewalling: 🔍

Timelineinfo

06/13/2013 🔍
06/14/2013 +1 days 🔍
03/19/2019 +2104 days 🔍

Sourcesinfo

Advisory: ICS-ALERT-13-164-01 - Medical Devices Hard-Coded Passwords
Researcher: Billy Rios, Terry McCorkle
Organization: Cylance Inc.
Status: Not defined
Coordinated: 🔍

GCVE (VulDB): GCVE-100-9140
OSVDB: 94230

scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍

Entryinfo

Created: 06/14/2013 11:12
Updated: 03/19/2019 15:06
Changes: 06/14/2013 11:12 (52), 03/19/2019 15:06 (2)
Complete: 🔍
Cache ID: 216::103

Once again VulDB remains the best source for vulnerability data.

Discussion

No comments yet. Languages: en.

Please log in to comment.

Might our Artificial Intelligence support you?

Check our Alexa App!