Vulnerabilities in Siemens RAPIDLab and RAPIDPoint Blood Gas Analyzers Announced by Siemens

Siemens published a bulletin about two recently identified vulnerabilities in RAPIDLab and RAPIDPoint Blood Gas Analyzers. So far, there are no submitted reports that suggest the vulnerabilities have been exploited, but users of devices are urged to take action to minimize risk.

The vulnerabilities impact the following gadgets: Siemens RAPIDLab 1200 Series and RAPIDPoint 400/405/500 cartridge-based blood-gas, electrolyte, and metabolite analyzers. The vulnerabilities found are CVE-2018-4845 and CVE-2018-4846.

CVE-2018-4845 will permit local or remote credentialed access to the Remote View function. If exploitation of the vulnerability succeeds, it can bring about privilege escalation which could possibly compromise the privacy, integrity, and accessibility of the system. There’s no need for user interaction to be able to exploit the vulnerability. The vulnerability was given a CVSS v3.0 score of 8.8.

CVE-2018-4846 pertains to a hardcoded password in a factory account that could possibly be taken advantaged of to get remote access to the device via port 8900/tcp, therefore compromising the privacy, integrity, and accessibility of the device. No privileges or user interaction are required to be able to exploitthe vulnerability. The vulnerability was given a CVSS v3.0 score of 7.3. Special skills are not required to exploit any of the vulnerabilities.

No fix has been given to resolve the identified vulenerabilities presently, though Siemens has determined workarounds and mitigations which will lower the risk that the vulnerabilities would be exploited. The following describe what must be done to the gadgets:

For RAPIDLab 1200 systems / RAPIDPoint 400 systems / RAPIDPoint 500 systems, all models without using Siemens Healthineers Informatics products –

  • Limit physical access to authorized persons only to minimize exposure to CVE-2018- 4845.
  • Turn off Remote Viewing function by following the directions in “Enabling or Disabling Remote Viewing” available in the analyzer Operator’s Manual to minimize exposure to CVE-2018-4845 and offset CVE-2018- 4846.

For RAPIDLab 1200 Series, all models < V3.3 with Siemens Healthineers Informatics products –

  • Limit physical access to authorized persons only to minimize exposure to CVE-2018- 4845.
  • Upgrade the unti to V3.3 or 3.3.1. Make sure you speak to your Siemens Healthineers service desk to learn more.
  • Replace the password as per the release notes, or get in touch with the support department.
  • To make sure of smooth and safe connectivity with the RAPIDComm® Data Management System, use RAPIDComm® V7.0 or higher.

For RAPIDPoint 500 systems, all models >= V3.0 with Siemens Healthineers Informatics products –

  • Limit physical access to authorized persons only to reduce exposure to CVE-2018- 4845.
  • Replace the password as per the release notes or get in touch with the support department.
  • To make certain the the connectivity with RAPIDComm remains  seamless and secure, RAPIDComm V7.0 or higher is advisable.

Fo RAPIDPoint 500 systems and V2.4.X with Siemens Healthineers Informatics products –

  • Limit physical access to authorized persons only to limit getting exposed to CVE-2018- 4845.
  • Upgrade to and carry out directions given for V3.0.

For RAPIDPoint 500 systems, all models =< V2.3 with Siemens Healthineers Informatics products

  • Limit physical access to authorized persons only to restrict getting exposed to CVE-2018- 4845.
  • Siemens Healthineers will change this bulletin as soon as new info is available.

For RAPIDPoint 400 systems, all models with Siemens Healthineers Informatics products –

  • Limit physical access to authorized persons only to restrict exposure to CVE-2018- 4845.
  • Upgrade to RAPIDPoint 500 Series.
  • If upgrading is impossible, turn off Remote Viewing function by following the directions availalbe in the “Enabling or Disabling Remote Viewing” portion of the analyzer Operator’s Manual to minimize exposure to CVE-2018- 4845 and offset CVE-2018-4846.