The TransLogic Pneumatic Tubing System (PTS) is used in thousands of hospitals all over the world, and these pipes connect various departments in comprehensive hospitals.
According to the report, this TransLogic system is installed in more than 3,000 hospitals in the US. And all these pipes work effectively as it enables the movement of delicate medical materials that generally enables the nurses to implement patient carefreely.
However, the security company Armis pronounced that they have detected 9 vulnerabilities in the PTS control software-Nexus control panel.
This problem, collectively known as PwnedPiper, and these vulnerabilities allow illegal threat actors to take over the TransLogic pneumatic tube system.
How PwnedPiper Could Be Used?
After investigating the vulnerabilities, the researchers affirmed that it could enable complicated and worrisome ransomware outbreaks, and not only this it also permit the threat actors, to leak delicate hospital data.
The threat actors are targeting the Translogic PTS system as it is one of the advanced systems that consolidate with other hospital systems, and it allows the data that is being shared between these systems to be leaked or manipulated by an attacker.
The analysts have given a full list of the Pwndpiper vulnerabilities and here they are mentioned below:-
- CVE-2021-37161 – Underflow in udpRXThread
- CVE-2021-37162 – Overflow in sccProcessMsg
- CVE-2021-37163 – Two hardcoded passwords accessible through the Telnet server
- CVE-2021-37164 – Off-by-three stack overflow in tcpTxThread
- CVE-2021-37165 – Overflow in hmiProcessMsg
- CVE-2021-37166 – GUI socket Denial Of Service
- CVE-2021-37167 – User script run by root can be used for PE
- CVE-2021-37160 – Unauthenticated, unencrypted, unsigned firmware upgrade
As we said above that this attack is quite dangerous, and the PTS system connects comprehensive hospitals, that’s why it is quite necessary to patch these vulnerabilities.
The security analyst of Armis has suggested some mitigation that is to be followed by the hospital accordingly, here they are mentioned below:-
- They have recommended hospital bodies to initially, stop the use of Telnet (port 23) on the Translogic PTS stations (the Telnet service is not required in production).
- Expand the access control lists (ACLs), in which Translogic PTS elements (stations, blowerd, diverters, etc.) were being allotted to interact with the Translogic central server (SCC).
- Apart from this, the analyst has stated that they must use the following Snort IDS rule to recognize the exploitation efforts of CVE-2021-37161, CVE-2021-37162, and CVE-2021-37165:-
- alert udp any any -> any 12345 (msg:”PROTOCOL-OTHER Pwned piper exploitation attempt, Too small and malformed Translogic packet”; dsize:<21; content:”TLPU”; depth:4; content:”|00 00 00 01|”; distance:4; within:4; reference:cve,2021-37161; reference:url,https://www.armis.com/pwnedPiper; sid:9800002; rev:1;)
- Use the following Snort IDS rule to detect exploitation attempts of CVE-2021-37164:-
- alert udp any any -> any 12345 (msg:”PROTOCOL-OTHER Pwned piper exploitation attempt, Too large and malformed Translogic packet”;dsize:>350; content:”TLPU”; depth:4; reference:cve,2021-37164; reference:url,https://www.armis.com/pwnedPiper; sid:9800001;)
Moreover, the researchers of Armies asserted that they will continue their investigation, and will try their best to find all the key details of the vulnerabilities.
Since this attack is quite dangerous as it hampers all the delicate files and data of the hospital, therefore it is very important to follow the mitigation accordingly to bypass such vulnerability attacks in the future.