The Department of Homeland Security's Industrial Control System Computer Emergency Response Team (ICS-CERT) has issued an alert warning of four vulnerabilities in multiple medical molecular imaging systems from Siemens. All of these systems have publicly available exploits that could allow an attacker to execute code remotely—potentially damaging or compromising the safety of the systems. "An attacker with a low skill would be able to exploit these vulnerabilities," ICS-CERT warned.
Siemens identified the vulnerabilities in a customer alert on July 26, warning that the vulnerabilities were highly critical—giving them a rating of 9.8 out of a possible 10 using the Common Vulnerability Scoring System. The systems affected include Siemens CT, PET, and SPECT scanners and medical imaging workflow systems based on Windows 7.
One of the vulnerabilities is in the built-in Window Web server running on the systems. "An unauthenticated remote attacker could execute arbitrary code by sending specially crafted HTTP requests to the Microsoft Web server (port 80/tcp and port 443/tcp) of affected devices," Siemens warned in its alert. The bug in the Web server software allows code injection onto the devices.