Danny Palmer
| November 9, 2021
| Topic: Security
These are the riskiest IoT devices to connect to your enterprise network
Watch Now
Critical vulnerabilities in millions of connected devices used in hospital networks could allow attackers to disrupt medical equipment and patient monitors, as well as Internet of Things devices that control systems and equipment throughout facilities, such as lighting and ventilation systems.
The vulnerable TCP/IP stacks – communications protocols commonly used in connected devices – are also deployed in other industries, including the industrial sector and the automotive industry.
The 13 newly disclosed vulnerabilities in Nucleus Net TCP/IP stacks have been detailed by cybersecurity researchers at Forescout and Medigate. Dubbed Nucleus:13, the findings represent the final part of Project Memoria, an initiative examining vulnerabilities in TCP/IP stacks used in connected devices and how to mitigate them.
SEE: A winning strategy for cybersecurity (ZDNet special report)
The vulnerabilities could be present in millions of devices based around Nucleus TCP/IP stacks and could allow attackers to engage in remote code execution, denial of service attacks and even leak data – although researchers can’t say for certain if they’ve actively been exploited by cyber criminals.
Now owned by Siemens, the Nucleus TCP/IP stack was originally released in 1993 and is still widely used in critical safety devices, particularly in hospitals and the healthcare industry where they’re used in anaesthesia machines, patient monitors and other devices, as well as for building automation systems controlling lighting and ventilation.
Of the three critical vulnerabilities identified by researchers, CVE-2021-31886 poses the greatest threat, with a Common Vulnerability Scoring System (CVSS) score of 10 out of 10. It’s a vulnerability in (File Transfer Protocol) FTP servers that doesn’t properly validate the length of user commands, leading to stack-based buffer overflows that can be abused for denial-of-service and remote code execution.
The remaining two critical vulnerabilities both have a CVSS score of 9.9. CVE-2021-31887 is a vulnerability in FTP servers that doesn’t properly validate the length of PWD or XPWD FTP server commands, while CVE-2021-31888 is a vulnerability that occurs when the FTP server doesn’t properly validate the length of MKD or XMKD FTP commands. Both can result in stack-based buffer overflows, allowing attackers to begin denial-of-service attacks or remotely launch code.
Because the stacks are so common, they are easy to identify and target. It’s also possible to find some of the connected devices on IoT search engine Shodan – and if they are publicly facing the internet, it’s possible to launch remote attacks. This is why researchers decided to examine them specifically.
“We found some promotional material for the stack that mentions using this for medical applications,” Daniel dos Santos, research manager at Forescout Research Labs, told ZDNet. “Then when you look at some of the data promoting medical devices, they mention the use of the stack directly.”
Attackers would need to jump through a number of steps, detailed extensively in the paper, to fully exploit the vulnerabilities. But, as long as they exist, that potential is there – along with the potential for disruption. In hospitals, not only could this affect machines used for patient care, systems in the building such as alarms, lighting and ventilation could be affected.
Organisations are recommended to apply the available security patches released by Siemens in order to mitigate the threat.
“All vulnerabilities that are being disclosed on Nov 9th have been fixed in the corresponding latest fix releases of active Nucleus version lines,” a Siemens spokesperson told ZDNet.
Researchers also suggest that networks should be segmented in order to limit the exposure of any devices or software that could contain vulnerabilities, but can’t be patched.
“Make sure that you know your network, so even if devices are not patched and you know that probabilities exist, you can still live with a network configuration that lets you sleep at night,” said dos Santos.
Security TV
|
Data Management
|
CXO
|
Data Centers