Update on BeaconMedaes TotalAlert Scroll Medical Air Systems Web Application Vulnerabilities

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a bulletin warning healthcare organizations about vulnerabilities in the BeaconMedaes TotalAlert Scroll Medical Air Systems web application, which can be exploited remotely. The vulnerabilities can be found in TotalAlert Scroll Medical Air Systems operating software versions 4107600010.23 and previous versions and need only a low level of technical proficiency to exploit.

If exploited with success, an attacker can see and change device information as well as web application setup info, though those changes would not be enough to impact the capability of the device to work as intended. BeaconMedaes has mentioned that the vulnerabilities can’t be used to access patient medical data and do not undermine compliance with the NFPA 99 standard for medical facilities.

ICS-CERT states 2 vulnerabilities had a CVSS v3 score of 7.5 out of 10 (high) and one vulnerability had a CVSS v3 score of 5.3 (medium). The 2 vulnerabilities rated high were CWE-522 and CWE-256. CWE-522 involves insufficiently secured credentials, which may be exploited by an attacker with network access to the integrated web server. Exploitation would allow the attacker to retrieve default/user-defined credentials kept and transmitted insecurely.  CWE-256 involves unprotected credentials storage, which concerns passwords supplied in plaintext in a file that could be viewed without authorization.

CVE-2018-284 involves improper access credentials. By visiting a particular URL on the web server, an attacker may gain access to information in the software program with no authentication.

Security researcher Maxim Rupp reported the vulnerabilities to the National Cybersecurity and Communications Integration Center (NCCIC). In turn, NCCIC advises users to take steps to reduce the risks due to the exploitation of the flaws. Users can do the following:

  • Minimize network exposure for all control system devices
  • Don’t expose control system devices to the Internet
  • Protect control system networks behind firewalls
  • Do not expose control system networks to the business network
  • Use the most current version of VPNs when connecting remotely online

BeaconMedaes has evaluated the vulnerabilities and worked on a fix. An update now has been released – version 4107600010.24 – to correct the flaws and should be applied immediately. BeaconMedaes advises affected users to contact the company on 1-888-4MEDGAS (463-3427) to get the update. NCCIC suggests that before updating the software or applying defensive procedures, entities should conduct an impact analysis and risk evaluation.