Siemens Healthineers Security Advisory

Hard-coded password and Improper Privilege Management Vulnerabilities in DCA Vantage Analyzer

Publication Date: 2020-10-13

Last Update: 2020-10-13

Current Version: 1.0

CVSS v3.1 Base Score: 6.4

WORKAROUNDS AND MITIGATIONS
Siemens Healthineers has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

• Restrict physical access to only authorized individuals to limit exposure.
• Utilize DCA Vantage Analyzer Restricted mode (or higher) to further secure and prevent unauthorized access to database export and restore feature.
• Securely store any database backup files.

GENERAL SECURITY RECOMMENDATIONS
In addition, Siemens Healthineers recommends the following:

• Ensure you have appropriate backups and system restoration procedures.
• Securely delete any backup files that are no longer needed.
• For specific patch and remediation guidance information, contact your local Siemens Healthineers customer service representative, support center, or https://www.siemens-healthineers.com/how-can-we-help-you

PRODUCT DESCRIPTION
The DCA Vantage Analyzer is a multi-parameter, point-of-care analyzer for monitoring glycemic control in patients with diabetes and detecting early kidney disease.

VULNERABILITY CLASSIFICATION
The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1)
https://www.first.org/cvss. The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.

Vulnerability CVE-2020-7590
Affected devices use a hard-coded password to protect the onboard database. This could allow an attacker to open and or modify the onboard database. Successful exploitation requires direct physical access to the device.
CVSS v3.1 Base Score 6.4
CVSS Vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/E:F/RL:O/RC:C
CWE: CWE-259: Use of Hard-coded Password

Vulnerability CVE-2020-15797
Improper Access Control could allow an unauthenticated attacker to escape from the restricted environment (“kiosk mode”) and access the underlying operating system. Successful exploitation requires direct physical access to the system.
CVSS v3.1 Base Score 2.4
CVSS Vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C
CWE: CWE-269: Improper Privilege Management

ACKNOWLEDGMENTS
Siemens Healthineers thanks the following parties from Forescout Technologies for their coordination efforts:

• Stanislav Dashevskyi
• Guillaume Dupont
• Sylvio Sorel
  

ADDITIONAL INFORMATION
For further inquiries on security vulnerabilities in Siemens Healthineers products and solutions, please contact Siemens Healthineers :
https://www.siemens-healthineers.com/cybersecurity

HISTORY DATA
V1.0 (2020-10-13): Publication Date

TERMS OF USE
Siemens Healthineers Security Advisories are subject to the terms and conditions contained in Siemens’ Healthineers underlying license terms or other applicable agreements previously agreed to with Siemens Healthineers (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Healthineers Security Advisory, the Terms of Use of Siemens Healthineers’ Global Website (https://www.siemens-healthineers.com/terms-of-use ,hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.
© Siemens Healthineers 2020