Stephen Yackey of Securifera identified five vulnerabilities in the continuous monitoring system of MesaLabs AmegaView, which is utilized in hospital laboratories, forensics labs, and biotech firms. Two critical command injection vulnerabilities are given CVSS severity scores of 9.9 and 10 out of 10. Both vulnerabilities affect the AmegaView Versions 3.0 and prior versions.
The vulnerabilities include the following:
Vulnerability CVE-2021-27447 is given a CVSS 10/10. It is caused by the wrong neutralization of special elements utilized in a command that can enable an attacker to execute arbitrary code.
Vulnerability CVE-2021-27449 is given a CVSS 9.9/10. It is caused by the wrong neutralization of special elements utilized in a command that could allow an attacker to execute web server commands.
Vulnerability CVE-2021-27445 is given a CVSS 7.8/10. It is a result of insecure file permissions that enable an attacker to lift privileges on the device.
Vulnerability CVE-2021-27451 is given a CVSS 7.3/10. It is a result of the wrong authentication due to the passcodes produced by an easily reversible algorithm that could allow an attacker to acquire access to the device.
Vulnerability CVE-2021-27453 is given a CVSS 7.3/10. It is an authentication bypass issue that could enable an attacker to acquire web app access.
There are currently no public exploits that particularly target these vulnerabilities. Given that AmegaView is near its end-of-life this year, MesaLabs has made the decision not to produce any patches to address the vulnerabilities. Instead, all customers using the vulnerable devices are advised to obtain a current Viewpoint software that is compatible with AmegaView systems.
If this cannot be carried out, or if it is, it is suggested to determine vulnerable products secured by firewalls and to segregate them from the system and ensure they aren’t accessible on the internet. If remote access is required, Virtual Private Networks (VPNs) must be utilized for access, and VPNs must be the newest version.
Before taking on any new safety actions, an impact and risk analysis should be performed.