Siemens Healthineers Security Advisories  

Privilege Escalation Vulnerability in Medicalis Workflow Orchestrator

Publication Date: 2024-07-08     
Last Update: 2024-07-08
Current Version: V 1.0
CVSS v3.1 Base Score: 7.8
CVSS v4.0 Base Score: 8.5



SUMMARY 

Medicalis Workflow Orchestrator contains a privilege escalation vulnerability that could allow a local attacker to escalate privileges.

Siemens Healthineers recommends countermeasures for products where fixes are not, or not yet available.

Affected Product and Versions

Remediation

Medicalis Workflow Orchestrator
All versions
affected by CVE-2024-37999

Currently no fix is planned
Remove the 'Medicalis Workflow Orchestrator Client Updater Windows Service'

WORKAROUNDS AND MITIGATIONS 

Currently no fix is planned
Remove the 'Medicalis Workflow Orchestrator Client Updater Windows Service'
Product specific remediations or mitigations can be found in the section Affected Products and Solution.


Please follow the General Security Recommendations.


GENERAL SECURITY RECOMMENDATIONS

In addition, Siemens Healthineers generelly recommends the following:

  • Ensure you have appropriate backups and system restoration procedures.
  • Securely delete any backup files that are no longer needed.
  • For specific patch and remediation guidance information contact your local Siemens Healthineers Customer Service Engineer, portal or our Regional Support Center. To find your local contact, please refer to https://www.siemens-healthineers.com/how-can-we-help-you

PRODUCT DESCRIPTION

Medicalis Workflow Orchestrator (WFO) is an enterprise level software solution that manages radiologist reading workflow across radiology practices and legacy platforms.


VULNERABILITY CLASSIFICATION

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.


Vulnerability CVE-2024-37999

The affected application executes as a trusted account with high privileges and network access. This could allow an authenticated local attacker to escalate privileges.

CVSS v3.1 Base Score:

7.8

CVSS v3.1 Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

CVSS v4.0 Base Score:

8.5

CVSS v4.0 Vector:

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:

CWE-282: Improper Ownership Management


ACKNOWLEDGMENTS 

Siemens Healthineers thanks the following parties for their efforts:

  • Brett Gustafson from Evolve Security for coordinated disclosure


ADDITIONAL INFORMATION 

To eliminate the vulnerability, the Medicalis Workflow Orchestrator Client Updater Windows Service should be deleted. Doing so will not prevent client updates from happening, and has no impact to user workflows. The client will update when it is launched and manual updates can still be performed using the System Tray task application.

To delete the service from a client workstation and anywhere the client is installed:

Run Powershell as admin

Run the following from a command line:

net stop "Medicalis Workflow Orchestrator Client Updater"

And then:

sc delete "Medicalis Workflow Orchestrator Client Updater".


For further inquiries on security vulnerabilities in Siemens Healthineers products and solutions, please contact Siemens Healthineers using the following link: https://www.siemens-healthineers.com/cybersecurity


HISTORY DATA 

V1.0 (2024-07-08): Publication Date


TERMS OF USE

Siemens Healthineers Security Advisories are subject to the terms and conditions contained in Siemens’ Healthineers underlying license terms or other applicable agreements previously agreed to with Siemens Healthineers (hereinafter "License Terms"). To the extent applicable to information, software or docu- mentation made available in or through a Siemens Healthineers Security Advisory, the Terms of Use of Siemens’ Healthineers Global Website (https://www.siemens-healthineers.com/terms-of-use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.