The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory warning of vulnerabilities in several medical IoT devices that could lead to remote code execution.
Advisory ICSA-19-274-01, which has a CVSS rating or 9.8, covers the following pieces of equipment: OSE by ENEA, INTEGRITY RTOS by Green Hills Software, ITRON, Zebos by IP Infusion, and VxWorks by Wind River. The vulnerabilities include stack-based buffer overflow, heap-based buffer overflow, integer underflow, improper restriction of operations within the bounds of a memory buffer, race condition, argument injection and null pointer dereference.
All are described as exploitable remotely, requiring only a low skill level to exploit and public exploits are available. This is an expanded advisory with the original being issued by DHS in July.
“The Interpeak IPnet stack vulnerabilities were first reported under ICSA-19-211-01 Wind River VxWorks. These vulnerabilities have expanded beyond the affected VxWorks systems and affect additional real-time operating systems (RTOS). CISA has reached out to affected vendors of the report and asked them to confirm the vulnerabilities and identify mitigations,” the advisory stated.
In response ENEA recommends affected users upgrade to a newer version of OSE or contact WindRiver (now the license holder for Interpeak) for compensating controls; Green Hills Software recommends affected users contact Wind River for compensating controls; ZebOS by IP Infusion has not yet responded to CISA inquiries.
Wind River has produced controls and patches to mitigate the reported vulnerabilities. To obtain patches, email PSIRT@windriver.com.
The Food and Drug Administration also posted a warning stating that it has not received any adverse event reports associated with these vulnerabilities.