High-Risk Security Flaws Found and Patched in ZOLL Defibrillator Management Software.
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has released an alert stating that multiple remote code execution vulnerabilities have been identified in software used by ZOLL, a US-based healthcare technology provider.
According to the authorities, the flaws were found in the company’s Defibrillator Dashboard, and an attacker can exploit them to take over the affected system. Reportedly, many high-scoring flaws were present in ZOLL’s software, mainly used to manage defibrillator devices and result in the loss of sensitive data.
Why is the Dashboard Used?
The Defibrillator Dashboard lets medical professionals monitor the fleet of defibrillators. This dashboard is designed to be used in the biomedical engineering departments in a healthcare facility. It streamlines defibrillator management and helps administrators perform real-time monitoring of devices across multiple sites and within the enterprise environment.
About the Vulnerabilities
Around half a dozen vulnerabilities were found in the defibrillator dashboard before version 2.2. One of the vulnerabilities identified by CISA is an unrestricted file upload flaw that received a CVSS score of 9.9.
Another one is a cross-site scripting bug (XSS), then there is an insecure password storage flaw and a privilege escalation issue. The dash uses hard-coded cryptographic keys, which increased the high likelihood of exploiting one of the flaws as it can let an attacker recover encrypted data.
“The cryptographic key is within a hard-coded string value that is compared to the password. It is likely that an attacker will be able to read the key and compromise the system,” CISA wrote in the advisory.
Suppose a threat actor manages to access the system. In that case, they can obtain or read sensitive data/information because one of the vulnerabilities stores system data in cleartext format and maintains account ID in a plaintext browser cookie.
This two folds the risk of exposure in case the device gets compromised. Moreover, an attacker can copy the cookie remotely by combining the flaw with a cross-site scripting flaw if the device isn’t compromised.
Finally, the dashboard doesn’t encrypt data prior to writing it to a buffer, exposing data to unauthorized actors.
A Patch Is Necessary- CISA
According to the advisory, these flaws were reported anonymously to CISA, and ZOLL was contacted to develop necessary patches.
CISA further explained that if these vulnerabilities were exploited successfully, it would have allowed attackers to carry out remote code execution, gain access to user credentials, and/or compromise the “confidentiality, integrity, and availability of the application.”
As a result, CISA urges relevant administrators to upgrade to the latest version of the software to mitigate the threat.