#VU49340 Code injection in Vital Signs Monitor VC150
Vulnerability identifier: #VU49340
Vulnerability risk: Low
CVSSv3.1: 4 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-74
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Vital Signs Monitor VC150
Hardware solutions /
Medical equipment
Vendor:
Description
The vulnerability allows an attacker to manipulate the device data.
The vulnerability exists due to insufficient filtration of user-supplied data when processing HL7 v2.x messages. A physically proximate attacker with a connected barcode reader can inject HL7 v2.x segments into specific HL7 v2.x messages via multiple expected parameters.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
External links
http://ics-cert.us-cert.gov/advisories/icsma-21-007-01
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
