US-CERT Issues Alert About Dräger Infinity Delta Patient Monitors Vulnerabilities

The U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Team (US-CERT) has issued an alert regarding three vulnerabilities impacting Dräger Infinity Delta patient monitoring devices.

The vulnerabilities are present in all versions of Delta XL, Infinity Delta, Kappa, and Infinity Explorer C700 patient monitoring devices. The vulnerabilities could be exploited to gain access to sensitive data in device logs, be used to perform Denial of Service (DoS) attacks, or could possibly enable an attacker to get total control of the OS of a vulnerable device. Marc Ruef and Rocco Gagliardi of scip AG discovered the vulnerabilities.

Details of the vulnerabilities are listed below:

CVE-2018-19014 (CWE-532) – Exposure of Information in Log Files
Log files do not have appropriate security protections and may be accessed on an unauthenticated network. Device log files contain data related to the internals of the monitor, device location, and its wired network settings. The flaw was given a CVSS v3 base score of 4.3.

CVE-2018-19010 (CWE-20) – Incorrect Input Validation
An error in input validation can be taken advantage of to cause a constant reboot of the device. An attacker can send a malformed network packet repeatedly resulting in multiple reboots of a vulnerable device until it reverts to its default setting and network connection is lost. The flaw was given a CVSS v3 base score of 6.5.

CVE-2018-19012 (CWE-269) – Improper Privilege Management
An attacker can break out of kiosk mode through a specific dialog and and take total control of the operating system. The vulnerability was given a CVSS v3 base score of 8.4.

Dräger corrected all three vulnerabilities in December 2018. Update of the devices to Delta/Infinity Explorer VF10.1 is necessary to correct the vulnerabilities. The update is available via Dräger Service Connect. Users have been advised to evaluate their network segmentation settings and be sure that the devices are physically or logically segregated from the hospital LAN. Additionally, it is recommended that users examine their Infinity Explorer’s Windows patch level.