Endpoint/Device Security

White hats make blood-boiling bug find in gas chromatographs


Researchers have disclosed a trio of flaws in a popular brand of machines used for blood testing.

Claroty’s Team82 group took credit for discovering and reporting a trio of security holes in the Emerson Rosemount 370 XA gas chromatograph. The appliance is most often used by hospitals and medical labs to process and analyze blood samples for testing.

The vulnerabilities include two command injection flaws, an authentication bypass, and an authorization bypass. The most serious of the vulnerabilities, a command injection bud resulting in remote code execution, was given a critical CVSS rating at 9.8 (CVE-2023-46687 PDF).

While Emerson Rosemount has already issued an update for the vulnerable firmware, gas chromatograph appliances are unlikely to be a priority for the IT departments at most healthcare providers, meaning many of the devices currently in use are likely still vulnerable to attack.

Typically, the gas chromatograph machines are managed through the facility’s on premise network through specialized device management tools, though it is often unclear whether those networks are air-gapped and remotely accessible.

Regardless of the device’s accessibility, Claroty, Emerson Rosemount, and CISA are all advising administrators to update the appliance firmware to the latest version in order to prevent exploitation.

Experts say that even if the device itself is not exploited for any medical record details, a successful compromise could allow for further attacks, according to First Health Advisory CSO of government and digital health Toby Gouker.

“If they are attacked in a hospital setting, the worst that can happen is that the equipment's computing power could be used as a pivot point for escalation to more valuable assets on the network, if the hospital's lab operations are on the same network as other operations,” Gouker told CyberRisk Alliance.

While the vulnerabilities themselves are significant, the process of discovering the flaws is also interesting. Typically, gas chromatograph machines cost something in the neighborhood of six figures, well outside the budget of security research teams.

Instead, the researchers opted to create an emulated environment to run the chromatograph’s firmware along with a virtual controller machine, in this case a 1990s era PowerPC Macintosh.

From there, the team was able to analyze how traffic worked between the gas chromatograph and the controlling machine. This, in turn, allowed them to simulate the environment and test out the device’s security protections by bombarding it with specially crafted packets that could expose the vulnerabilities.

“The approach we took for our vulnerability research was to go over the implementation of all command types and look for bugs,” the Team82 squad explained.

“The bugs we are looking for are memory vulnerabilities such as heap or stack buffer overflows, and logical ones such as path traversal, command injection etc.”

The result was the discovery of four potentially serious security holes and the release of a patch that could prevent thousands of medical devices.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.