HC3 TLP White Sector Alert – PwnedPiper Impact on Healthcare - August 3, 2021

Executive Summary

Nine vulnerabilities (dubbed PwnedPiper) were recently discovered in a brand (Swisslog) of pneumatic tubes – the tube systems within many hospitals and other healthcare organizations which transports small items such as lab samples, blood, tissue or medication from one part of the medical facility to another – which can allow a cyberattacker to compromise and/or disrupt the operations of the system. These vulnerabilities are believed to impact over 3,000 hospitals worldwide, including 80% of all hospitals in North America. All healthcare organizations are urged to review this document and apply the appropriate steps outlined in the mitigation section as needed.

Report

On August 2, 2021, the cybersecurity company Armis released vulnerability research on pneumatic tube systems (PTS) produced by Swisslog. A PTS is a series of tubes, either in a single building or between several buildings that allows people to move small objects around quickly (see picture to the right). In the case of healthcare organizations, PTS are used to transport items such as lab samples, blood, tissue or medication from one part of the medical facility to another. The Armis research revealed that an unauthenticated attacker could gain full control over Swisslog Translogic PTS that are connected to the internet and then compromise the entire tube network of a target hospital. Armis identified nine vulnerabilities (collectively referred to as PwnedPiper) which have CVEs assigned to them and cover issues such as password leakage, remote code execution, denial-of-service, and full device compromise:

  • CVE-2021-37163 - Two hardcoded passwords that are accessible through the Telnet server on the Nexus Control Panel
  • CVE-2021-37167 - Privilege escalation vulnerability due to a user script being run by root
  • CVE-2021-37161 - Memory corruption bug in the implementation of the TLP2-0 protocol: Underflow in udpRXThread
  • CVE-2021-37164 - Memory corruption bug in the implementation of the TLP2-0 protocol: Off-by-three stack overflow in tcpTxThread
  • CVE-2021-37165 - Memory corruption bug in the implementation of the TLP2-0 protocol: Overflow in hmiProcessMsg
  • CVE-2021-37162 - Memory corruption bug in the implementation of the TLP2-0 protocol: Overflow in sccProcessMsg
  • CVE-2021-37166 - GUI socket Denial Of Service
  • CVE-2021-37160 - Unauthenticated, unencrypted, unsigned firmware upgrade

View the entire report below.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

Senior Advisor for Cybersecurity and Risk, AHA

jriggi@aha.org

(O) +1 202 626 2272

More on John Riggi
Learn more about AHA's Cybersecurity and Risk Advisory Services

Key Resources

Related Resources

Advisory
Agencies Issue Advisory as Ransomware Group Accelerates Attacks on Health Care Sector
Public
Letter/Comment
AHA, Others Urge UnitedHealth Group to Provide Breach Notifications on Behalf of the Field
Public
Letter/Comment
AHA Letter to Senate Finance Committee for May 1 Hearing on Change Healthcare Cyberattack
Letter/Comment
AHA Letter to House E&C Subcommittee for May 1 Hearing on Change Healthcare Cyberattack
Advisory
Homeland Security Proposes New Cyber Incident Reporting Requirements
Member
Special Bulletin
UnitedHealth Group Provides Update on Data Impacted By Cyberattack
Member