45% Connected Medical Devices Vulnerable to BlueKeep Exploit

February 19, 2020 - Microsoft issued a rare legacy patch for vulnerability known as BlueKeep, which impacts about 1 million devices. According to a new report from CyberMDX, about 45 percent of connected medical devices are vulnerable to an exploit.

The initial patch for CVE-2019-0708 on the Windows 2003, Windows 7, Server 2008, and XP Systems was released in May 2019. Federal agencies and Microsoft repeatedly warned organizations to apply the patch given its similarities to earlier global cyberattacks like WannaCry.

The wormable flaw is found in the remote desktop protocol of the impacted platforms. A successful exploit would allow an attacker to remotely execute RDP without authorization to send tailored requests – including malware. Hackers have been targeting the gap with cryptocurrency attacks.

In total, the report found about 22 percent of typical Windows devices on a hospital network are exposed to BlueKeep. But when discussing medical devices specifically, about 45 percent are vulnerable to BlueKeep.

Overall, about 26 percent of total connected hospital assets and about 17 percent of medical devices operate on Windows operating systems.

CyberMDX estimates that about one in 10 devices on a hospital network is a medical device and are prime targets for hackers. Medical devices range from infusion pumps, IoMT devices, and the like, and hold protected health information often stored unencrypted without requiring authentication.

Devices also frequently run on outdated operating systems and software and are often directly connected to a workstation, which is typically connected to the rest of the hospital network. Hospitals failing to properly segment their network add to the risk of connected devices.

In addition, about 5 percent of connected hospital assets are inactive and are digitally unseen at times. The devices can disconnect from the network and not reconnect for several weeks, making it difficult to locate devices and can make it nearly impossible to enforce physical access controls.

What’s more, CyberMDX found that the majority of hospitals either neglect granular network segmentation altogether or do so for purposes other than security. As a result, segmentation contains a variety of device types, “some with restricted communications and others open to the internet.”

As a result, it defeats the purpose of segmenting in the process, while expanding the attack surface.

“Healthcare facilities can potentially have more than one-hundred-thousand devices connected to a network,” researchers explained. “Even when conscientious administrators try to adhere to established [segmentation] best practices, they can falter when applying general best practices to an industry with very distinct network norms and needs.”

“There’s a lot of connected technology and digital infrastructure that goes into a hospital’s business as usual,” they added. “Though much of that technology will pass unseen to the casual observer it requires continuous and diligent management: Something easy to say but very difficult to do.”

The report also shows that many medical devices are also vulnerable to a flaw known as SACK Panic, which impacts Linux-based operating systems typicall used by nurse call systems. Abut 15 percent of connected hospital assets and 30 percent of medical devices are vulnerable to the flaw.

The vulnerability refers to Urgent/11, reported by the Food and Drug Administration in October, which could be remotely exploited by a hacker to take control of a medical device or even change its function, cause a denial of service attack, data breach, or logical flaws.

At the time, officials warned that the flaw poses a serious risk to medical devices and hospitals. CyberMDX showed that while just 7 percent of all networked devices are exposed to the flaw, 33 percent of all connected medical devices are exposed.

Also notable, the Citrix vulnerability – which the Department of Homeland Security has repeatedly warned hackers are exploiting – poses a particular risk to medical networks, according to CyberMDX. Not only can it be used to gain access to data, it can also serve as a foothold into the enterprise network.

“It is considered particularly dangerous because it can be exploited without authorization and without any prior network access,” researchers wrote. “If exploited, the vulnerability would give an attacker a “bridge” to the network, using compromised DMZ devices to gain access to internal assets.”

“Conscientious hospital administrators should move with purpose and urgency to address this vulnerability, as Citrix noted that exploits in the wild have been observed and proof-of-concept code for an exploit publicaly emerged in January 2020,” they added.

Medical device security is crucial both to the security of a hospital network and its data, but also to patient safety. As many security researchers have noted in the past, a compromised device could impact severely impact patient care.

For CyberMDX, patching is a key component to shoring up these gaps. However, it’s no easy task. The majority of providers fail to patch medical devices for several reasons, such as some requiring manual patching, one device at a time.

“Where vulnerabilities concern unmanaged devices, there is no easy way to identify the relevant patch level for each device and no way to centrally push patches (through the active directory and SCCM) to devices distributed throughout the organization,” researchers wrote. “For these devices, technicians must individually investigate and manually attend the affected devices.”

It’s important to note that vendors have released patches for BlueKeep and Citrix, but the patches for SACK Panic and URGENT/11 will need to be directly supplied by the vendor.

When patching is not possible, healthcare organizations need to lean on restricting and adjusting device configurations. The easiest way is to simply close any operationally necessary ports, as exploits rely on specific ports being left open to hackers. But CyberMDX noted it’s just a stop-gap, and it can be incredibly time-consuming on a large network.

Further, it’s not a workaround for RDP flaws like those related to BlueKeep. Organizations can also disable unneeded services, enable NLA, and enforce specific firewall/NAC/IDS policies to prevent these major exploits when patching is not an option.

“Closing ports that are not critical to a device’s intended operation can therefore be an attractive workaround to proper patching,” researchers wrote. “If it’s not clear to you which ports are vital to a device’s intended operation, it is recommended that you refer to the device’s MDS2 file and consult with the vendor as needed.”

“Remediation plans that systematically map out the vulnerable areas in hospital networks and prioritize interventions help to close the security gap in the most efficient way possible,” they added.

To CyberMDX, successful remediation plans with algorithmically weigh the potential for patient harm, as well as map the different vulnerabilities on the network and those likely to inflict damage.