There are two medium-severity vulnerabilities discovered in Innokas Yhtymä Oy vital signs monitors that permit hackers to modify communications between downstream devices and to disable certain functions of the monitors. The vulnerabilities have an impact on all versions of VC150 patient monitors with software version earlier than version 1.7.15.
Affected patient monitors contain a cross-site scripting (XSS) vulnerability that permits the injection of a web script or HTML by means of the filename parameter to change several administrative web interface endpoints. The vulnerability is caused by incorrect neutralization of input at the time of web page creation. The vulnerability is monitored as CVE-2020-27262 with an assigned severity score of 4.6 out of 10.
The second vulnerability, monitored as CVE-2020-27260, is caused by incorrect neutralization of special components in the output utilized by downstream elements. HL7 v2.x injection vulnerabilities enable attackers in close proximity and have a linked barcode reader to input HL7 v2.x segments into HL7 v2.x messages through a variety of expected parameters. This vulnerability was given a severity score of 5.3 out of 10.
The people credited with the identification of the vulnerabilities were: Julian Suleder, Birk Kauer, and Nils Emmerich of ERNW Research GmbH; and Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH.
Innokas Yhtymä Oy already issued a computer software update to fix the vulnerabilities and advises the use of software version 1.7.15b or newer versions only. To date, there are no reported incidents of vulnerabilities exploitation in the wild.
It is additionally recommended to follow the following network best practices:
- Segment networks
- Use VLANs
- Isolate patient monitors
- Implement physical restrictions to prevent the unauthorized access of patient monitors
- Clinical personnel must report any instances of unauthorized persons trying to sign in or tinker with the patient monitors