Several zero-day PwnedPiper vulnerabilities found in the hospital system

Researchers from Armis have identified several zero-day flaws in the pneumatic tube system (PTS) in Swisslog Healthcare. This PTS mechanism is used in more than 3000 hospitals worldwide and could attackers to exploit and launch DOS attacks, steal credentials and gain access to critical information systems.

Ben Seri, Vice President of Armis said that the attacker can infiltrate hospital networks and patient data using these vulnerabilities by gaining authenticated access to the critical infrastructure. The vulnerabilities are named as PwnedPiper and the technical details are shared this PDF.

PTS is an air-pressurized system that transports medicines, test samples, and blood work within the hospital network for further processing and assessment. Initially it was only used for testing purposes, but their use cases are further more than just testing as they actively incorporated into the hospital’s mundane operations.

Details on the PwnedPiper vulnerabilities

The researchers have claimed to identified nine unique vulnerabilities associated with the PTS mechanism, however Swisslog has only accepted the eight of it and mentioned that the ninth is just a variation of eighth, and not a separate one. However, Armis researchers continue to claim they are different and thus counts to nine zero-day vulnerabilities in total.

The PwnedPiper vulnerability in the Swisslog Nexus Control Panel, has two hard-coded passwords for users and root accounts which when accessed can give further access, they are marked as below with several other vulnerabilities for remote code execution, privilege escalation, buffer overflow, stack overflow, and DOS attacks.

• CVE-2021-37163
• CVE-2021-37164.
• CVE-2021-37165
• CVE-2021-37162
• CVE-2021-37161
• CVE-2021-37167
• CVE-2021-37166
• CVE-2021-37160

These flaws can allow attackers to access the RFID credentials of the employees, execute a ransomware attack, and also manipulate PTS’s configurations.

Patches available from Swisslog of PwnedPiper flaws

Swisslog have immediately released software updates for the firmware patching all the vulnerabilities except one in V7.2.5.7. The CVE-2021-37160 is yet to be patched but have given some workaround to handle the same. The Swisslog advisory had the details of the vulnerabilities and their mitigation procedures.

The hard coded password left in the production system has been an issue as it could be easily accessed using remote code causing havoc to the healthcare network. Seri believes the hospital must takes this situation seriously to fix the issues and the segmentation to avoid any wild attacks on the infrastructure.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.

You can reach out to us via Twitter or Facebook, for any advertising requests.