Siemens Healthineers Security Advisory

Deserialization Vulnerability in Healthcare Products
Publication Date: 2022-05-31
Last Update: 2022-06-09
Current Version: 1.0
CVSS v3.1 Base Score: 9.8

SUMMARY
A deserialization vulnerability is present in syngo which could allow an unauthenticated attacker to perform remote code execution under certain circumstances. Multiple Siemens Healthineers products use this platform and are affected by varying degrees.
Siemens Healthineers provides fixes for all affected versions and recommends specific countermeasures where fixes cannot be applied.

AFFECTED PRODUCTS AND SOLUTION

Affected Product and Versions	Remediation
Biograph Horizon PET/CT Systems: All VJ30 versions < VJ30C-UD01	Update to VJ30C-UD01 or later version. This is either remotely installed via SRS or contact your local service representative Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
MAGNETOM Family: NUMARIS X: VA12M, VA12S, VA10B, VA20A, VA30A, VA31A	Contact your local service representative Allow network access to ports 32912/tcp and 32914/tcp for trusted clients only This product can be installed/operated in “workstation mode” where the client and server are installed on the same system. For such setups Siemens Healthineers recommends closing the ports 32912/tcp and 32914/tcp on the server Windows firewall for all inbound traffic Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
MAMMOMAT Revelation: All VC20 versions < VC20D	Contact your local service representative to update to VC20D or later version Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
NAEOTOM Alpha: All VA40 versions < VA40 SP2	Contact your local service representative to update to VA40 SP2 or later version Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
SOMATOM go.All: All versions < VA30 SP5 or VA40 SP2	Contact your local service representative to update to VA30 SP5, VA40 SP2 or a later version Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
SOMATOM go.Now: All versions < VA30 SP5 or VA40 SP2	Contact your local service representative to update to VA30 SP5, VA40 SP2 or a later version Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
SOMATOM go.Open Pro: All versions < VA30 SP5 or VA40 SP2	Contact your local service representative to update to VA30 SP5, VA40 SP2 or a later version Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
SOMATOM go.Sim: All versions < VA30 SP5 or VA40 SP2	ontact your local service representative to update to VA30 SP5, VA40 SP2 or a later version Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
SOMATOM go.Top: All versions < VA30 SP5 or VA40 SP2	Contact your local service representative to update to VA30 SP5, VA40 SP2 or a later version Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
SOMATOM go.Up: All versions < VA30 SP5 or VA40 SP2	Contact your local service representative to update to VA30 SP5, VA40 SP2 or a later version Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
SOMATOM X.cite: All versions < VA30 SP5 or VA40 SP2	Contact your local service representative to update to VA30 SP5, VA40 SP2 or a later version Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
SOMATOM X.creed: All versions < VA30 SP5 or VA40 SP2	Contact your local service representative to update to VA30 SP5, VA40 SP2 or a later version Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
Symbia E/S: All VB22 versions < VB22A-UD03	Update to VB22A-UD03 or later version. This is either remotely installed via SRS or contact your local service representative Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
Symbia Evo: All VB22 versions < VB22A-UD03	Update to VB22A-UD03 or later version. This is either remotely installed via SRS or contact your local service representative Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
Symbia Intevo: All VB22 versions < VB22A-UD03	Update to VB22A-UD03 or later version. This is either remotely installed via SRS or contact your local service representative Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
Symbia T: All VB22 versions < VB22A-UD03	Update to VB22A-UD03 or later version. This is either remotely installed via SRS or contact your local service representative Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
Symbia.net: All VB22 versions < VB22A-UD03	Update to VB22A-UD03 or later version. This is either remotely installed via SRS or contact your local service representative Due to product layout, the CVSS score is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reducing the CVSS overall score to 8.8 See further recommendations from section Workarounds and Mitigations
syngo.via VB10: All versions	Update to VB40B HF06, VB60A HF02 or later version Syngo.via can be installed/operated in “workstation mode” where the client and server are installed on the same system. For such setups Siemens Healthineers recommends closing the ports 32912/tcp and 32914/tcp on the server Windows firewall for all inbound traffic See further recommendations from section Workarounds and Mitigations
syngo.via VB20: All versions	Update to VB40B HF06, VB60A HF02 or later version Syngo.via can be installed/operated in “workstation mode” where the client and server are installed on the same system. For such setups Siemens Healthineers recommends closing the ports 32912/tcp and 32914/tcp on the server Windows firewall for all inbound traffic See further recommendations from section Workarounds and Mitigations
syngo.via VB30: All versions	Update to VB40B HF06, VB60A HF02 or later version Ensure the Whitelisting (WDAC) is activated on the server Syngo.via can be installed/operated in “workstation mode” where the client and server are installed on the same system. For such setups Siemens Healthineers recommends closing the ports 32912/tcp and 32914/tcp on the server Windows firewall for all inbound traffic See further recommendations from section >Workarounds and Mitigations
syngo.via VB40: All versions < VB40B HF06	Update to VB40B HF06, VB60A HF02 or later version Ensure the Whitelisting (WDAC) is activated on the server Syngo.via can be installed/operated in “workstation mode” where the client and server are installed on the same system. For such setups Siemens Healthineers recommends closing the ports 32912/tcp and 32914/tcp on the server Windows firewall for all inbound traffic See further recommendations from section Workarounds and Mitigations
syngo.via VB50: All versions	Update to VB60A HF02 or later version Ensure the Whitelisting (WDAC) is activated on the server Syngo.via can be installed/operated in “workstation mode” where the client and server are installed on the same system. For such setups Siemens Healthineers recommends closing the ports 32912/tcp and 32914/tcp on the server Windows firewall for all inbound traffic See further recommendations from section Workarounds and Mitigations
syngo.via VB60: All versions < VB60A HF02	Update to VB60A HF02 or later version Ensure the Whitelisting (WDAC) is activated on the server Syngo.via can be installed/operated in “workstation mode” where the client and server are installed on the same system. For such setups Siemens Healthineers recommends closing the ports 32912/tcp and 32914/tcp on the server Windows firewall for all inbound traffic See further recommendations from section Workarounds and Mitigations

WORKAROUNDS AND MITIGATIONS
Siemens Healthineers has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

If possible, block ports 32912/tcp and 32914/tcp on an external firewall

Product specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS
In addition, Siemens Healthineers generally recommends the following:

Ensure you have appropriate backups and system restoration procedures.
Securely delete any backup files that are no longer needed.
For specific patch and remediation guidance information contact your local Siemens Healthineers Customer Service Engineer, portal or our Regional Support Center. To find your local contact, please refer to https://www.siemens-healthineers.com/how-can-we-help-you.

PRODUCT DESCRIPTION
Siemens Healthineers Biograph Horizon PET/CT Systems are used in hospital environments for imaging. Siemens Healthineers MAGNETOM MRI Systems are used in hospital environments for imaging. Siemens Healthineers MAMMOMAT Revelation is a state-of-the-art digital mammography system for screening and diagnostics. Siemens Healthineers NAEOTOM Alpha is a photon-counting CT scanner. Siemens Healthineers SOMATOM CT devices are used in hospital environments for imaging. Siemens Healthineers Symbia is a family of SPECT, SPECT/CT and Post-Processing Workstation devices that are used in hospital environments for imaging. Siemens Healthineers syngo.via is a software solution intended to be used for viewing, manipulation, communication, and storage of medical images. It can be used as a stand-alone device or together with a variety of cleared and unmodified syngo based software options. syngo.via supports interpretation and evaluation of examinations within healthcare institutions, for example, in Radiology, Nuclear Medicine and Cardiology environments.

VULNERABILITY CLASSIFICATION
The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.

Vulnerability CVE-2022-29875
The application deserialises untrusted data without sufficient validations that could result in an arbitrary deserialization. This could allow an unauthenticated attacker to execute code in the affected system if ports 32912/tcp or 32914/tcp are reachable. CVSS v3.1 Base Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE CWE-502: Deserialization of Untrusted Data

ADDITIONAL INFORMATION
For further inquiries on security vulnerabilities in Siemens Healthineers products and solutions, please contact Siemens Healthineers using the following link: https://www.siemens-healthineers.com/cybersecurity.

HISTORY DATA
V1.0 (2022-05-31): Publication Date

Services & Support

Education & Training

Siemens Healthineers Security Advisory

Ця інформація вам допомогла?

Продукти та сервіси