Siemens Healthineers Security Advisory

Hard-coded password and Improper Privilege Management Vulnerabilities in DCA Vantage Analyzer

Publication Date: 2020-10-13

Last Update: 2020-10-13

Current Version: 1.0

CVSS v3.1 Base Score: 6.4

SUMMARY
DCA Vantage Analyzer software version 4.5.0.0 is now available to fix a hard-coded password and an improper privilege management vulnerability that could allow an attacker to read and or modify the onboard database as well as to escape the restricted environment “kiosk mode”. Specific workarounds and mitigations may also be taken.

AFFECTED PRODUCTS AND SOLUTION

Affected Product and Versions

Remediation

DCA Vantage Analyzer:

All versions < V4.5are affected by CVE-2020-7590

In Addition, serial numbers < 40000 running software V4.4.0 are also affected by CVE-2020-15797

Update to software V4.5.0.0 or later version. Log into your Siemens Healthineers Document Library account to access the DCA Vantage 4.5.0.0 software. Alternatively, contact your local Siemens Healthineers support center for assistance.

WORKAROUNDS AND MITIGATIONS
Siemens Healthineers has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

  • Restrict physical access to only authorized individuals to limit exposure.
  • Utilize DCA Vantage Analyzer Restricted mode (or higher) to further secure and prevent unauthorized access to database export and restore feature.
  • Securely store any database backup files.

GENERAL SECURITY RECOMMENDATIONS
In addition, Siemens Healthineers recommends the following:

  • Ensure you have appropriate backups and system restoration procedures.
  • Securely delete any backup files that are no longer needed.
  • For specific patch and remediation guidance information, contact your local Siemens Healthineers customer service representative, support center, or https://www.siemens-healthineers.com/how-can-we-help-you

PRODUCT DESCRIPTION
The DCA Vantage Analyzer is a multi-parameter, point-of-care analyzer for monitoring glycemic control in patients with diabetes and detecting early kidney disease.

VULNERABILITY CLASSIFICATION

The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1)
https://www.first.org/cvss
. The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.

Vulnerability CVE-2020-7590
Affected devices use a hard-coded password to protect the onboard database. This could allow an attacker to open and or modify the onboard database. Successful exploitation requires direct physical access to the device.
CVSS v3.1 Base Score 6.4
CVSS Vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/E:F/RL:O/RC:C
CWE: CWE-259: Use of Hard-coded Password

Vulnerability CVE-2020-15797

Improper Access Control could allow an unauthenticated attacker to escape from the restricted environment (“kiosk mode”) and access the underlying operating system. Successful exploitation requires direct physical access to the system.
CVSS v3.1 Base Score 2.4
CVSS Vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C
CWE: CWE-269: Improper Privilege Management

ACKNOWLEDGMENTS
Siemens Healthineers thanks the following parties from Forescout Technologies for their coordination efforts:

  • Stanislav Dashevskyi
  • Guillaume Dupont
  • Sylvio Sorel

ADDITIONAL INFORMATION
For further inquiries on security vulnerabilities in Siemens Healthineers products and solutions, please contact Siemens Healthineers :
https://www.siemens-healthineers.com/cybersecurity

HISTORY DATA
V1.0 (2020-10-13): Publication Date

TERMS OF USE

Siemens Healthineers Security Advisories are subject to the terms and conditions contained in Siemens’ Healthineers underlying license terms or other applicable agreements previously agreed to with Siemens Healthineers (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Healthineers Security Advisory, the Terms of Use of Siemens Healthineers’ Global Website (https://www.siemens-healthineers.com/terms-of-use ,hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.
© Siemens Healthineers 2020