PwnedPiper flaws in PTS systems affect 80% of major US hospitals

Cybersecurity researchers disclosed multiple flaws, dubbed PwnedPiper, that left a widely-used pneumatic tube system (PTS) vulnerable to attacks.

Researchers from cybersecurity Armis disclosed a set of nine vulnerabilities collectively tracked as PwnedPiper that could be exploited to carry out multiple attacks against a widely-used pneumatic tube system (PTS).

The Swisslog PTS system are used in the hospitals to automate logistics and the transport of materials throughout the building via a network of pneumatic tubes. 

The flaw affects the Translogic PTS system manufactured by Swisslog Healthcare, which is installed in about 80% of all major hospitals in North America and thousands of hospitals worldwide.

An attacker could exploit the PwnedPiper vulnerabilities to completely take over the Translogic Nexus Control Panel, which powers current models of Translogic PTS stations.

The flaws could be exploited by attackers to conduct a broad range of malicious activities, such as carrying out a man-in-the-middle (MitM) attack to change or deploying ransomware

“These vulnerabilities can enable an unauthenticated attacker to take over Translogic PTS stations and essentially gain complete control over the PTS network of a target hospital,” reads the post published by Armis. “This type of control could enable sophisticated and worrisome ransomware attacks, as well as allow attackers to leak sensitive hospital information.”

The flaws include privilege escalation, memory corruption, remote-code execution, and denial-of-service issues. An attacker could also push an insecure firmware upgrade to fully compromise the devices.

These are the nine vulnerabilities discovered by the researchers:

• CVE-2021-37161 – Underflow in udpRXThread
• CVE-2021-37162 – Overflow in sccProcessMsg
• CVE-2021-37163 – Two hardcoded passwords accessible through the Telnet server
• CVE-2021-37164 – Off-by-three stack overflow in tcpTxThread
• CVE-2021-37165 – Overflow in hmiProcessMsg
• CVE-2021-37166 – GUI socket Denial Of Service
• CVE-2021-37167 – User script run by root can be used for PE
• CVE-2021-37160 – Unauthenticated, unencrypted, unsigned firmware upgrade

Swisslog has released Nexus Control Panel version 7.2.5.7 that addresses most of the above vulnerabilities. The CVE-2021-37160 has yet to be addressed.

“This research sheds light on systems that are hidden in plain sight but are nevertheless a crucial building block to modern-day healthcare. Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments.” concludes the report.

Swisslog has also published security advisories for these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PTS Systems)

[adrotate banner=”5″]

[adrotate banner=”13″]