CVE-2018-18561

Vulnerability

The vulnerability exists in the service interface of Roche Accu-Chek Inform II Base Unit / Base Unit Hub and CoaguChek / cobas h232 Handheld Base Unit. Insecure permissions combined with weak access credentials (Improper Authentication, CWE-287) enable attackers to execute arbitrary commands on the operating system. Affected versions are all versions before 03.01.04 for both product lines. [1]

Exploitation

An attacker in the adjacent network can exploit the service interface without authentication (or using weak credentials) due to improper authentication. Once access is gained, insecure permissions allow the attacker to execute arbitrary OS commands. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the operating system, potentially modifying system settings or executing arbitrary code. This compromises the confidentiality, integrity, and availability of the device. [1]

Mitigation

Roche has released firmware version 03.01.04 to address the vulnerability. Users should update to this version or later. The Accu-Chek Inform II Base Unit Light and Base Unit NEW with software 04.00.00 or newer are not affected. No workarounds are mentioned. [1]