Siemens is readying patches for a number of vulnerabilities in its molecular imaging products, including some where public exploits are available.
Advisories published Thursday by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) indicate that the flaws are remotely exploitable.
“Siemens is preparing updates for the affected products and recommends protecting network access to the Molecular Imaging products with appropriate mechanisms,” ICS-CERT said in its advisory. “It is advised to run the devices in a dedicated network segment and protected IT environment.”
Siemens said its Siemens PET/CT Systems, SPECT/CT Systems, SPECT Systems and SPECT Workplaces/Symbia.net systems for Windows XPand Windows 7 are affected. ICS-CERT said that exploits are available only for the Windows 7 bugs, and that an attacker with relatively low skill level could successfully exploit the vulnerabilities and remotely execute code on the affected devices.
These systems, Siemens said, are used in medical imaging procedures across the healthcare and public health industries worldwide.
Four vulnerabilities affect the Windows 7 versions of the products, all of which are from 2015. One is an improper restriction of operations within the bounds of a memory buffer, which could be exploited using a crafted request sent to an HP Client automation service belonging to the device, as well as another affecting permissions, privileges and access controls on the device. That too is a remote code execution bug that can be exploited through the HP Client. Both vulnerabilities have a CVSS score of 9.8, just shy of the most critical score possible, 10.0.