Advisory Released About Weaknesses in Siemens RAPIDLab and RAPIDPoint Blood Gas Analyzers

 

Siemens has proactively released an advisory over two lately found weaknesses in its RAPIDLab and RAPIDPoint Blood Gas Analyzers.

No accounts have been received to date to indicate either weakness has been misused in the wild, even though users of the appliances are being supported to take steps to alleviate risk.

The weaknesses affect Siemens RAPIDLab 1200 Series as well as RAPIDPoint 400/405/500 cartridge-based blood-gas, electrolyte, and metabolite analyzers.

CVE-2018-4845 would let local or distant credentialed access to the Distant View characteristic. Successful use of the weakness might lead to privilege escalation that might possibly undermine the secrecy, integrity, and availability of the system. No user interaction would be needed to abuse the weakness. The weakness has been allocated a CVSS v3.0 score of 8.8.

CVE-2018-4846 pertains to a factory account with a hardcoded password which might possibly be abused to gain distant access to the appliance over port 8900/tcp, thus undermining the secrecy, integrity, and availability of the appliance. Abuse would need no privileges or user interaction. The weakness has been allocated a CVSS v3.0 score of 7.3. No special skills would be needed to abuse either weakness.

No patch has been issued to rectify the faults at present, even though Siemens has identified workarounds and alleviations that will decrease the risk of the weaknesses being abused, as described in the table below:

 

Affected Product and Varieties Remediation
RAPIDLab 1200 systems / RAPIDPoint 400 systems / RAPIDPoint 500 systems:

All varieties without the use of Siemens Healthineers Informatics products

·         Restrict physical access to only authorized people to restrict exposure to CVE-2018- 4845.

·         Disable Remote Viewing characteristic by following the guidelines in the “Enabling or Disabling Distant Viewing” section of the analyzer Operator’s Guide to restrict exposure to CVE-2018-4845 and alleviate CVE-2018- 4846.

RAPIDLab 1200 Series:

All varieties < V3.3 with Siemens Healthineers Informatics products

·         Limit physical access to only authorized people to limit exposure to CVE-2018- 4845.

·         Modernize to V3.3 or 3.3.1. Please get in touch with your Siemens Healthineers service desk for more information advice.

·         Modify the password as per the release notes or contact the service department.

·         To make sure seamless and safe connectivity with the RAPIDComm® Data Management System, RAPIDComm® V7.0 or higher is recommended.

RAPIDPoint 500 systems:

All varieties >= V3.0 with Siemens Healthineers Informatics products

·         Limit physical access to only authorized people to limit exposure to CVE-2018- 4845.

·         Modify the password as per the release notes or contact the service division.

·         To make sure seamless and safe connectivity with RAPIDComm, RAPIDComm V7.0 or higher is recommended.

RAPIDPoint 500 systems:

V2.4.X with Siemens Healthineers Informatics products

·         Limit physical access to only authorized people to limit exposure to CVE-2018- 4845.

·         Upgrade to and follow guidelines provided for V3.0.

RAPIDPoint 500 systems:

All varieties =< V2.3 with Siemens Healthineers Informatics products

·         Limit physical access to only authorized people to limit exposure to CVE-2018- 4845.

·         Siemens Healthineers will update this advisory when new information becomes available.

RAPIDPoint 400 systems:

All varieties with Siemens Healthineers Informatics products

·         Limit physical access to only authorized people to limit exposure to CVE-2018- 4845.

·         Upgrade to RAPIDPoint 500 Series.

·         If upgrading is not an option, disable Distant Viewing characteristic by following the guidelines in the “Enabling or Disabling Distant Viewing” section of the analyzer Operator’s Guide to restrict exposure to CVE-2018- 4845 and alleviate CVE-2018-4846.