CVE-2021-37160:

Firmware Validation Vulnerability in Swisslog Healthcare Nexus Panel HMI3 Control Panel

Score
A numerical rating that indicates how dangerous this vulnerability is.

9.8Critical

Published Date:Aug 2, 2021
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:2.0
EPSS Percentile:84%

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Firmware Validation Vulnerability in Swisslog Healthcare Nexus Panel HMI3 Control Panel

Overview

This vulnerability (CWE-347: Improper Verification of Cryptographic Signature) affects the Swisslog Healthcare Nexus Panel's HMI3 Control Panel when running software versions prior to 7.2.5.7. The absence of firmware validation mechanisms means that the system accepts any firmware file without verifying its authenticity or integrity. An attacker with access to the firmware update functionality could potentially upload malicious firmware, which could lead to complete system compromise, unauthorized access to sensitive healthcare data, disruption of pneumatic tube systems in healthcare facilities, or other malicious activities. This vulnerability is part of a larger set of vulnerabilities in Swisslog Healthcare systems collectively known as "PwnedPiper."

Remediation

1. Update to Nexus Software version 7.2.5.7 or later, which includes firmware validation mechanisms.
2. Implement network segmentation to limit access to the Nexus Panel systems.
3. Monitor network traffic to and from these systems for suspicious activities.
4. Restrict physical and network access to the control panels to authorized personnel only.
5. Contact Swisslog Healthcare technical support for assistance with implementing security patches and best practices.
6. Follow the specific mitigation instructions provided in the vendor security bulletin.