CVE-2018-18562

Vulnerability

An improper authentication vulnerability (CWE-287), identified as CVE-2018-18562, exists in the service interface of Roche Accu-Chek Inform II Base Unit / Base Unit Hub (all versions before 03.01.04) and CoaguChek / cobas h232 Handheld Base Unit (all versions before 03.01.04) [1]. The affected products are point-of-care handheld medical devices and their associated base units [1]. The vulnerability is due to weak access credentials, which may allow an attacker to gain access without proper authentication [1].

Exploitation

An attacker with access to the adjacent network can exploit this vulnerability without requiring authentication or user interaction [1]. The attack complexity is low, and the attacker only needs to be able to communicate with the service interface on the affected base unit [1]. The exact sequence of steps is not detailed in the references, but the weak credentials could be guessed or brute-forced to gain access.

Impact

Successful exploitation allows an attacker to gain unauthorized service access to the device [1]. Based on the CVSS v3 vector string (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), this can lead to high confidentiality impact, meaning sensitive patient data or device configuration could be disclosed [1]. There is no impact on integrity or availability according to the CVSS score.

Mitigation

Roche has released software version 03.01.04 which addresses this vulnerability [1]. Users should update all affected Accu-Chek Inform II Base Unit / Base Unit Hub and CoaguChek / cobas h232 Handheld Base Unit devices to version 03.01.04 or later. The Accu-Chek Inform II Base Unit Light and Base Unit NEW with Software 04.00.00 or newer are not affected [1]. No workaround is mentioned in the available reference.