IoT, cloud and embedded systems software security CVE
Patching vulnerabilities in medical devices comes often too late
The paper “Security by Design – sicher vernetzte Medizinprodukte des gesamten Product-Lifecycle” emphasizes the importance of integrating security measures throughout the entire lifecycle of networked medical devices to ensure patient safety and data integrity. Assessment of medical device CVE is a must-have in any product or system.
- Cybersecurity, Medtech, Embedded Systems, Network Stack
- Multiple Clients, General Relevance
- 24/11/2017
- www.owasp.org
- Nathalie Weiler
Challenge
In system and network security, major flaws often receive worldwide attention. While well-known medical device CVE are typically fixed, they are not always patched in a timely manner. In embedded systems, similar issues can persist for extended periods. As Dr. Nathalie Weiler highlights in her Medical Cluster Insights talk “Security by Design – Sicher vernetzte Medizinprodukte des gesamten Product-Lifecycle“, Ripple20 was just the beginning. This was followed by Amnesia33, published on December 8, 2020, which identified 33 vulnerabilities in 7 open-source TCP/IP stacks, including 3 of the highest criticality (CVSS score above 9). Medical device CVE do not immediately become public as usage of the product is often not wide-spread. However, using SBOM traceability, attackers, regulators and other parties can quickly identify vulnerable medical devices before they are listed in the NVD or other database.
Four of the vulnerabilities in AMNESIA:33 are critical, with the potential for remote code execution on certain devices. Exploiting these vulnerabilities could allow an attacker to take control of a device, using it as an entry point on a network for internet-connected devices, as a pivot point for lateral movement, as a persistence point on the target network, or as the final target of an attack.
Solution
Affected implementations in the medical field include ulP, Contiki-OS and Contiki-NG, PicoTCP and PicoTCP-NG, FNET, and Nut/OS. Interestingly, other implementations from both commercial and open-source origins, such as uC-TCP and Iwip, have not been reported so far.
A good strategy is to critically review a system’s software component repository for known issues. Additionally, conducting a penetration test using OWASP principles is advisable. Given the mandatory nature of these measures, it is essential to set the right priorities for effectiveness and budget reasons. Whether you need to sort out the initial architecture of a newly built system or assess a legacy system in a software review, we are glad to provide an initial consultation.
Results
For enterprise organizations, this means an increased risk of network compromise or business continuity disruption by malicious actors. (…) AMNESIA:33 affects multiple open-source TCP/IP stacks that are not owned by a single company.
This means that a single vulnerability can spread easily and silently across multiple codebases, development teams, companies, and products, presenting significant challenges to patch management. (…) More than 150 vendors and millions of devices are vulnerable (…) widely spread across different IOT, OT, and IT devices in various verticals, highly modular (with components, features, and settings present in various combinations and codebases often being forked), and incorporated in undocumented, deeply embedded subsystems. For these reasons, these vulnerabilities are very hard to eradicate. – Forescout Research Labs Report on Amnesia:33
