Today the DHS ICS-CERT published a medical device security
advisory for products from Vyaire Medical. They also updated a control system
security advisory for products from Siemens.
Vyaire Advisory
This advisory
describes an uncontrolled search path element vulnerability in the Vyaire CareFusion
Upgrade Utility. The vulnerability was reported by Mark Cross (@xerubus).
Vyaire no longer supports the affected version and recommends that owners
upgrade to the newer version of the utility. ICS-CERT notes that “This updated
Upgrade Utility will not install on Windows XP and will require updating the
underlying system to Windows 7 or later.” There is no indication that Cross was
provided an opportunity to verify that the newer version is not affected.
ICS-CERT reports that an uncharacterized attacker with local
access could exploit the vulnerability to insert a malicious DLL on the target
system and run arbitrary code.
Siemens Update
This update
provides additional information on an advisory that was originally published on
January 25th, 2018. The update removes a broken link that was
included in the original Siemens
security notice.
Posts
No comments:
Post a Comment