There are six security advisories involving Siemens Healthineers products. The vulnerabilities have a CVSS v3 score of 9.8 out of 10 and may be linked to CVE-2019-0708, the Microsoft BlueKeep RDS vulnerability.
The vulnerability CVE-2019-0708 may be remotely exploited without user interaction. An attacker can exploit the vulnerability and take control of a vulnerable device by means of sending especially made requests to Remote Desktop Services on a vulnerable device through RDP.
The vulnerability is wormable and when exploited can propagate malware to vulnerable devices linked to a network just like in the WannaCry attacks in 2017. The seriousness of the vulnerability caused Microsoft to release patches for vulnerable operating systems, which include unsupported Windows versions that a lot of healthcare and industrial establishments still use.
The vulnerability impacts the following operating systems: Windows 2003, Windows XP, Windows 7, Windows Server 2008 and Windows Server 2008 R2. If it is not possible to apply the patch, RDP must be inactivated, Network Level Authentication (NLA) must be activated and port 3389 must be blocked at the firewall.
After Microsoft’s announcement of the RDS vulnerability and the issuance of the patches, Siemens investigated the affected Siemens Healthineers products and found 6 types of product to have vulnerabilities.
The vulnerability in these products may be exploited depending on the particular configuration and deployment setting. The vulnerabilities could typically be resolved when the Microsoft patch is applied. However, the patch may not be compatible with devices that are beyond their end-of-life. Customers using vulnerable devices can contact their local Siemens Healthineers customer support to get patch and remediation guidance.
Siemens Healthineers Software Products
Medicalis (Clinical Decision Support, Intelligo, Referral Management, and Workflow Orchestrator), MagicLinkA, MagicView (100W and 300), Screening Navigator, Teamplay and Syngo (Dynamics, Imaging, Plaza, Workflow MLR, Worlflow SLR, via, via View&Go, and via WebViewer).
Users of these software products need to apply the Microsoft patch. Risk could be diminished by making certain a secure deployment as per Siemens recommendations and making sure AV software is being used and routinely kept up to date.
Siemens Healthineers Radiation Oncology Products
All models of Lantis
Siemens suggests turning off RDP and shutting down TCP port 3389
Siemens Healthineers Advanced Therapy Products
System Acom, Sensis and VM SIS Virtual Server
The RDP on Acom systems must be disabled and Microsoft’s temporary fix on Sensis and VM SIS Virtual Server must be followed until the release of a patch.
Siemens Healthineers Laboratory Diagnostics Products
The majority of Laboratory Diagnostics products are not affected by the flaw.
The vulnerable products include:
Apto by Siemens, Aptio by Inpeco, Atellica Solution, Streamlab, Syngo Lab Process Manager, CentraLink, Viva E, and Viva Twin. Siemens Healthineers is going to give customers more information about the plan and specifics of activities to enhance security.
With these products, users need to follow Microsoft’s temporary fixes and mitigations until a patch released by Siemens is available on June 3, 2019.
Atellica NEPH 630 (Windows 7), Atellica COAG 360 (Windows 7), BN ProSpec (XP and Windows 7), and BCS XP (XP and Windows 7).
The patch is still under scrutiny for the above products. In the meantime, users are to follow Microsoft’s temporary fixes and mitigations.
CS 2100 (XP and Windows 7), CS 2000 (XP and Windows 7), CS 5100 (XP and Windows 7) and CS 2500 (Windows 7).
Siemens Healthineers Radiography and Mobile X-Ray Products
All versions of these products that have the Canon detector are at risk. Customers need to get in touch with their Siemens Regional Support Center for recommendations and, if possible, block TCP port 3389.
Axiom (Multix M, Solitaire M and Vertic MD Trauma), MobileTT XP Digital, Vertix Solitaire and Multix (Pro P, Pro ACSS P, PRO/PRO ACSS/PRO Navy, TOP, Swing, Top ACSS, and TOP P/TOP ACSS P).
Siemens Healthineers Point of Care Diagnostics Products
AUWi Pro, AUWi, Rapid Point 500 (v2.2, 2.2.1, 2.2.2, 2.3, 2.3.1, and 2.3.2)
A patch is going to be released in June 2019 so there is no need for immediate action. Meanwhile, Microsoft’s workaround and mitigations could be utilized for interim countermeasures.