PwnedPiper Vulnerabilities Found in Swisslog’s Translogic Pneumatic Tube System
The Nine Vulnerabilities Were Discovered in Critical Infrastructure Used by 80% of Major Hospitals in North America.
Security researchers have found several vulnerabilities in the system controlling the pneumatic tube networks used in thousands of hospitals worldwide. Dubbed PwnedPiper, the flaws could allow threat actors to disrupt the services or even launch ransomware attacks.
Researchers from the enterprise-class security platform Armis revealed they have found nine vulnerabilities in Swisslog’s Translogic Nexus Control Panels which powers current models of Translogic’s pneumatic tube system (PTS) stations by Swisslog Healthcare.
Swisslog Healthcare, a global industry leader for medication management solutions and pneumatic tube system maker, revealed in a security advisory that over 2,300 hospitals in North America and 700 more around the world use its “TransLogic PTS” platform.
The tubes allow staff to provide better patient care with automated material transport that includes highly sensitive materials such as lab specimens, blood products, pathology lab tests, medications, and so on.
How Can PwnedPiper Be Used?
The vulnerabilities can allow an unauthenticated threat actor to gain complete control over Translogic PTS stations and the PTS network of a target hospital. This type of control could further enable ransomware attacks, as well as allow attackers to leak sensitive hospital data.
Compromising the PTS network can allow an attacker to control the carrier’s paths by acting as a man-in-the-middle, and altering the requested destinations of the carriers when a transaction request is sent to the PTS network’s central server.
PwnedPiper includes hard-coded passwords of user and root accounts, a privilege escalation vulnerability, four memory corruption bugs that can lead to remote-code execution and denial-of-service attacks, and a design flaw in which firmware upgrades on the Nexus Control Panel are unencrypted and don’t require any cryptographic signature. The latter is the most severe vulnerability since it can allow an attacker to gain unauthenticated remote-code execution by initiating a firmware update procedure while also maintaining persistence on the device.
Ben Seri, VP of research at Armis, told ZDNet that it was surprisingly easy to find these vulnerabilities:
Too easy, I would say. Although this device has a crucial function in hospitals for the critical infrastructure, the type of vulnerabilities that we found are similar to stuff that you would find on an average IoT device.
From the hospital’s point of view, this is just another reason to go ahead and apply network segmentation in the most effective way possible.
What Happens Next?
The researchers strongly recommend that hospitals apply access controls across their networks, like multi-factor authentication. This way, users can’t gain access to networks and systems they don’t have permission to use in order to prevent intruders from exploiting this ability.
The use of PwnedPiper mitigation steps outlined by Armis in their security advisory is also recommended:
- Block any use of Telnet (port 23) on the Translogic PTS stations (the Telnet service is not required in production);
- Deploy access control lists (ACLs), in which Translogic PTS components (stations, blowerd, diverters, etc.) are only allowed to communicate with the Translogic central server (SCC);
- Use the following Snort IDS rule to detect exploitation attempts of CVE-2021-37161, CVE-2021-37162 and CVE-2021-37165:
alert udp any any -> any 12345 (msg:”PROTOCOL-OTHER Pwned piper exploitation attempt, Too small and malformed Translogic packet”; dsize:<21; content:”TLPU”; depth:4; content:”|00 00 00 01|”; distance:4; within:4; reference:cve,2021-37161; reference:url,https://www.armis.com/pwnedPiper; sid:9800002; rev:1;);
- Use the following Snort IDS rule to detect exploitation attempts of CVE-2021-37164:
alert udp any any -> any 12345 (msg:”PROTOCOL-OTHER Pwned piper exploitation attempt, Too large and malformed Translogic packet”;dsize:>350; content:”TLPU”; depth:4; reference:cve,2021-37164; reference:url,https://www.armis.com/pwnedPiper; sid:9800001;).