Siemens Healthineers Security Advisory

Remote code execution vulnerability on syngo.via (CVE-2019-18935)

Publication Date: 2021-01-05

Last Update: 2021-01-05

Current Version: 1.0

CVSS v3.1 Base Score: 8.3

SUMMARY

syngo.via software utilizes the Telerik UI for ASP.NET 3rd party component which is vulnerable to remote code execution due to the known CVE-2019-18935 vulnerability. Siemens Healthineers provides fixes for several versions of syngo.via and recommends specific countermeasures where fixes are not available. We highly recommend upgrading of the vulnerable syngo.via versions to the latest available version VB50.

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product and Versions

Remediation

syngo.via VA30A:

All versions 

See recommendations from section Workarounds

and Mitigations

syngo.via VB10:

All versions 

See recommendations from section Workarounds

and Mitigations 

syngo.via VB20A:

All versions < patch level HF06 

Update to patch level HF06

Please contact your local Siemens Healthineers

support center for assistance.

See recommendations from section Workarounds

and Mitigations 

syngo.via VB30A:

All versions < patch level HF05 

Update to patch level HF05

Please contact your local Siemens Healthineers

support center for assistance.

See recommendations from section Workarounds

and Mitigations 

WORKAROUNDS AND MITIGATIONS

Siemens Healthineers has identified the following specific mitigation:

  • Access to the Admin Portal function will be prohibited from the network and limited to the local access only by the application of the patch described below.

The mitigation will be applied automatically in the upcoming days to the vulnerable installations. Preconditions for the automated update:

  • Service Contract and Smart Remote Service connection available
  • the Silent Installation in the Admin Portal is enabled for the package group "AutoConfig"

If Silent Installation is deactivated, the installation has to be performed manually by clicking on the "Install" button. The installation will take about 1-5 minutes. Afterwards the package status in the software catalog changes to "Installed". 


Hint: It could happen that the connection to the admin portal is lost during the installation. If this is the case,

please login again and check if the status is changed to "Installed". 


For the customer without a Service Contract or without the Smart Remote Service connection Siemens

Healthineers provides the patch which can be downloaded via teamplay Fleet customer online portal:


  1. Login with your user account to teamplay Fleet customer online portal
  2. Navigate to the patch in the portal:
    1. Go to your syngo.via equipment
    2. Select the “Documents” tab and click on the “syngo Information” section
    3. Select your version of the syngo.via – VA30 or VB10
    4. Type “Telerik” in the search edit field
    5. Download the HS SY201-20-R TELERIK FIX zip compressed files
Alternatively to the step 2, download the patch via this link 


Follow the steps to install the patch manually on the syngo.via Server machine:

  1. Log on to the syngo.via server.
  2. Unzip the downloaded package on the syngo.via server machine and copy folder HS_SY201-20-R_TELERIK_FIX to sd_store (default location: C:\sysmgmt\sd_store\)
  3. Open syngo.via Administration Portal and login
  4. Navigate to the “Software Update” page available under Installation tab
  5. Change the filter to “All” to see all packages
  6. Search for the package “HS_SY201-20-R_TELERIK_FIX” and click the “Install” button
  7. After successful installation status of the package changes to “Installed”

Note: If silent installation is already enabled, the package will be automatically executed and changes to “Installed” state without any manual install. Silent installation packages get automatically installed within 30 minutes.


Siemens Healthineers has identified the further following specific workarounds and mitigations that customers can apply to reduce the risk: 

  • Restrict physical access to only authorized individuals to limit exposure.
  • Securely store any database backup files. 

GENERAL SECURITY RECOMMENDATIONS
In addition, Siemens Healthineers recommends the following:

  • Ensure you have appropriate backups and system restoration procedures.
  • Securely delete any backup files that are no longer needed.
  • For specific patch and remediation guidance information, contact your local Siemens Healthineers customer service representative, support center, or https://www.siemens-healthineers.com/how-can-we-help-you

PRODUCT DESCRIPTION
syngo.via is a software solution intended to be used for viewing, manipulation, communication, and storage of medical images. It can be used as a stand-alone device or together with a variety of cleared and unmodified syngo based software options.syngo.via supports interpretation and evaluation of examinations within healthcare institutions, for example, in Radiology, Nuclear Medicine and Cardiology environments.

  

VULNERABILITY CLASSIFICATION
The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) https://www.first.org/cvss. The CVSS environmental score is applied according to the product intended use – no connection to the internet for incoming requests and missing high availability requirement.


An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.


Vulnerability CVE-2019-18935 

Deserialization of untrusted data could allow an attacker to upload and execute malicious code via Admin Portal

component of syngo.via server with Service account privileges. 

CVSS Base Score 8.3

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/E:F/RL:O/RC:C

CWE: CWE-502: Deserialization of Untrusted Data


ACKNOWLEDGMENTS
Siemens Healthineers thanks the following parties for their efforts and for coordinated disclosure:

  • Ryan Wincey from Securifera, Inc.
  • Austin Nuttal
ADDITIONAL INFORMATION 

For further inquiries on security vulnerabilities in Siemens Healthineers products and solutions, please contact Siemens Healthineers :  https://www.siemens-healthineers.com/cybersecurity


HISTORY DATA
V1.0 (2021-01-05): Publication Date