Vulnerabilities in Siemens RAPIDLab and RAPIDPoint Blood Gas Analyzers Announced by Siemens

Siemens published a bulletin about two recently identified vulnerabilities in RAPIDLab and RAPIDPoint Blood Gas Analyzers. So far, there are no submitted reports that suggest the vulnerabilities have been exploited, but users of devices are urged to take action to minimize risk.

The vulnerabilities impact the following gadgets: Siemens RAPIDLab 1200 Series and RAPIDPoint 400/405/500 cartridge-based blood-gas, electrolyte, and metabolite analyzers. The vulnerabilities found are CVE-2018-4845 and CVE-2018-4846.

CVE-2018-4845 will permit local or remote credentialed access to the Remote View function. If exploitation of the vulnerability succeeds, it can bring about privilege escalation which could possibly compromise the privacy, integrity, and accessibility of the system. There’s no need for user interaction to be able to exploit the vulnerability. The vulnerability was given a CVSS v3.0 score of 8.8.

CVE-2018-4846 pertains to a hardcoded password in a factory account that could possibly be taken advantaged of to get remote access to the device via port 8900/tcp, therefore compromising the privacy, integrity, and accessibility of the device. No privileges or user interaction are required to be able to exploitthe vulnerability. The vulnerability was given a CVSS v3.0 score of 7.3. Special skills are not required to exploit any of the vulnerabilities.

No fix has been given to resolve the identified vulenerabilities presently, though Siemens has determined workarounds and mitigations which will lower the risk that the vulnerabilities would be exploited. The following describe what must be done to the gadgets:

For RAPIDLab 1200 systems / RAPIDPoint 400 systems / RAPIDPoint 500 systems, all models without using Siemens Healthineers Informatics products –

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist
  • Limit physical access to authorized persons only to minimize exposure to CVE-2018- 4845.
  • Turn off Remote Viewing function by following the directions in โ€œEnabling or Disabling Remote Viewingโ€ available in the analyzer Operatorโ€™s Manual to minimize exposure to CVE-2018-4845 and offset CVE-2018- 4846.

For RAPIDLab 1200 Series, all models < V3.3 with Siemens Healthineers Informatics products –

  • Limit physical access to authorized persons only to minimize exposure to CVE-2018- 4845.
  • Upgrade the unti to V3.3 or 3.3.1. Make sure you speak to your Siemens Healthineers service desk to learn more.
  • Replace the password as per the release notes, or get in touch with the support department.
  • To make sure of smooth and safe connectivity with the RAPIDCommยฎ Data Management System, use RAPIDCommยฎ V7.0 or higher.

For RAPIDPoint 500 systems, all models >= V3.0 with Siemens Healthineers Informatics products –

  • Limit physical access to authorized persons only to reduce exposure to CVE-2018- 4845.
  • Replace the password as per the release notes or get in touch with the support department.
  • To make certain the the connectivity with RAPIDComm remainsย  seamless and secure, RAPIDComm V7.0 or higher is advisable.

Fo RAPIDPoint 500 systems and V2.4.X with Siemens Healthineers Informatics products –

  • Limit physical access to authorized persons only to limit getting exposed to CVE-2018- 4845.
  • Upgrade to and carry out directions given for V3.0.

For RAPIDPoint 500 systems, all models =< V2.3 with Siemens Healthineers Informatics products

  • Limit physical access to authorized persons only to restrict getting exposed to CVE-2018- 4845.
  • Siemens Healthineers will change this bulletin as soon as new info is available.

For RAPIDPoint 400 systems, all models with Siemens Healthineers Informatics products –

  • Limit physical access to authorized persons only to restrict exposure to CVE-2018- 4845.
  • Upgrade to RAPIDPoint 500 Series.
  • If upgrading is impossible, turn off Remote Viewing function by following the directions availalbe in the โ€œEnabling or Disabling Remote Viewingโ€ portion of the analyzer Operatorโ€™s Manual to minimize exposure to CVE-2018- 4845 and offset CVE-2018-4846.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/