Security Architecture, Endpoint/Device Security, IoT, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Multiple zero-day vulnerabilities found medical IoT devices: CISA

The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory warning of vulnerabilities in several medical IoT devices that could lead to remote code execution.

Advisory ICSA-19-274-01, which has a CVSS rating or 9.8, covers the following pieces of equipment: OSE by ENEA, INTEGRITY RTOS by Green Hills Software, ITRON, Zebos by IP Infusion, and VxWorks by Wind River. The vulnerabilities include stack-based buffer overflow, heap-based buffer overflow, integer underflow, improper restriction of operations within the bounds of a memory buffer, race condition, argument injection and null pointer dereference.

All are described as exploitable remotely, requiring only a low skill level to exploit and public exploits are available. This is an expanded advisory with the original being issued by DHS in July.

“The Interpeak IPnet stack vulnerabilities were first reported under ICSA-19-211-01 Wind River VxWorks. These vulnerabilities have expanded beyond the affected VxWorks systems and affect additional real-time operating systems (RTOS). CISA has reached out to affected vendors of the report and asked them to confirm the vulnerabilities and identify mitigations,” the advisory stated.

In response ENEA recommends affected users upgrade to a newer version of OSE or contact WindRiver (now the license holder for Interpeak) for compensating controls; Green Hills Software recommends affected users contact Wind River for compensating controls; ZebOS by IP Infusion has not yet responded to CISA inquiries.

Wind River has produced controls and patches to mitigate the reported vulnerabilities. To obtain patches, email [email protected].

The Food and Drug Administration also posted a warning stating that it has not received any adverse event reports associated with these vulnerabilities.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.