BeaconMedaes created an update to address multiple vulnerabilities in its TotalAlert Scroll Medical Air Systems web application, according to a report with NCCIC.
The remotely exploitable vulnerabilities include an improper access control, insufficiently protected credentials, and an unprotected storage of credentials.
Successful exploitation of these vulnerabilities, discovered by Maxim Rupp, could allow an attacker to view and potentially modify some device information and web application setup information, which does not include access to patient health information.
Additionally, BeaconMedaes said a successful attacker would not be able to affect the ability of the device to operate as designed for the purpose of delivering medical air in compliance with the NFPA 99 standard for healthcare facilities.
A web application, TotalAlert Scroll Medical Air Systems running software Versions 4107600010.23 and prior suffer from the issues.
In one vulnerability, by accessing a specific uniform resource locator (URL) on the webserver, a malicious user may be able to access information in the application without authenticating.
CVE-2018-7526 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
In addition, an attacker with network access to the integrated web server could retrieve default or user defined credentials stored and transmitted in an insecure manner.
CVE-2018-7518 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
Also, passwords are presented in plaintext in a file that is accessible without authentication.
CVE-2018-7515 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The product sees use mainly in the healthcare and public health sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. An attacker with low skill level could leverage the vulnerabilities.
BeaconMedaes said the vulnerabilities do not compromise either patient health information or compliance with the NFPA 99 standard for healthcare facilities. To address these vulnerabilities, BeaconMedaes created update 4107600010.24 and recommends users of the TotalAlert Scroll Medical Air Systems update to this version or the latest release.
BeaconMedaes recommends affected users reach out to BeaconMedaes directly at 1-888-4MEDGAS (463-3427) to obtain this update.