The United States Cybersecurity and Infrastructure Security Agency (CISA) has released a security advisory outlining five vulnerabilities found in Contec Health’s CMS8000 CONTEC ICU CCU Vital Signs Patient Monitor. The Agency details how exploitation of the vulnerability could allow a malicious actor to conduct distributed denial of service attacks to alter firmware, make configuration changes, access a root shell, and cause a monitor to display wrong information.
CISA has stated that they have contacted Contec Health about the faults in the Vital Signs Monitors, however, they have not received any response regarding vulnerability mitigations. CISA have found five vulnerabilities within the monitors, the most serious being the CVE-2022-38100. In this vulnerability, a malicious actor can gain remote access to the device’s network. The actor could then cause the device to fail or send malformed network information to the device through a custom formatted UDP request. Following this, the device would require a reboot. The attack could then be launched on every vulnerable device operating on the same network.
The device does not contain proper access controls. A malicious actor with momentary access to the device can plug in a USB drive and launch a malicious firmware update. Permanent changes would be made to the device’s operations. CISA states that the device has no authentication or controls in place to prevent an unauthorized third-party from altering the device’s functionality. A third vulnerability relates to the use of heard-coded credentials. Within the device, there are multiple default credentials which a malicious actor may use to gain momentary physical access to the device. With privileged access to the device, a malicious actor can remove patient PHI or alter the device’s parameters. Finally, the device also contains multiple compiler settings with ‘not stripped’ and ‘debug_info’. These settings can be exploited with little effort to reverse engineer the code and to identify further vulnerabilities within the device.
CISA has recommended CMS8000 users to implement several mitigations to reduce the risk of exploitation. These include Disabling UART functionality at the CPU level, enforcing unique device authentication before granting access to the terminal / bootloader, where possible, enforcing secure boot, tamper stickers on the device casing to indicate when a device has been opened. CISA has also advised users to take several defensive measures including securing physical access, Minimizing network exposure for all control system devices and/or systems, locating the control system networks and remote devices behind firewalls and isolating them from the business network, and using VPNs when remote access is required.