Critical ‘PwnedPiper’ vulnerabilities create significant risk for hospitals

Published 08/11/2021, 9:00am

The risk that vulnerabilities and malware pose for the healthcare industry became dramatically apparent last week with the news of the discovery of several vulnerabilities affecting the pneumatic tube devices used by 80% of the hospitals in North America.

Pneumatic tubes are about as ubiquitous in hospitals as syringes and needles. They’re used to quickly deliver medicines, blood, and other supplies across buildings. As a result, an attack on a hospital’s pneumatic devices and subsequent connected systems could severely cripple hospital care operations.

Of the nine vulnerabilities discovered, five involve remote code execution that could enable an attacker to access hospital networks and data on staff and other systems, as well as move laterally around hospital networks. Security researchers indicate that all of the vulnerabilities can be triggered without user interaction by sending unauthenticated network packets.

The bugs are listed as follows:

• CVE-2021-37163 – Two hardcoded passwords accessible through the Telnet server 
• CVE-2021-37167 – Privilege escalation vulnerability 
• CVE-2021-37161 – Memory corruption bug 
• CVE-2021-37164 – Memory corruption bug 
• CVE-2021-37165 – Memory corruption bug 
• CVE-2021-37162 – Memory corruption bug 
• CVE-2021-37166 – Denial of service vulnerability
• CVE-2021-37160 – Unencrypted, unauthenticated, and missing cryptographic signature

Next Steps

The maker of the pneumatic tubes has developed solutions to address the identified vulnerabilities and is in the process of contacting customers to discuss mitigation strategies. The firm is also urging users to contact them directly to review the applicability of the vulnerabilities to installed pneumatic tube systems.