CVE-2018-18563

Vulnerability

The vulnerability resides in the service command interface of Roche Diagnostics point-of-care handheld medical devices, including Accu-Chek Inform II, CoaguChek Pro II, CoaguChek XS Plus, CoaguChek XS Pro, and cobas h 232, along with related base units, base unit hubs, and handheld base units [1]. Improper access control allows an attacker in the adjacent network to execute arbitrary code by sending a specially crafted Poct1-A message. Affected versions include Accu-Chek Inform II before 03.06.00 (serial below 14000) and 04.x before 04.03.00 (serial above 14000), CoaguChek Pro II before 04.03.00, CoaguChek XS Plus before 03.01.06, CoaguChek XS Pro before 03.01.06, cobas h 232 before 03.01.03 (serial KQ/KQ or KS/KS0400000) and cobas h 232 before 04.00.04 (serial above those ranges) [1].

Exploitation

An attacker must be on the adjacent network (e.g., same Wi-Fi) and requires no authentication. The attacker sends a malicious Poct1-A message to the affected device’s service interface, which the system does not properly restrict. The crafted message triggers command execution on the device [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code on the system. This could lead to full compromise of the device, affecting confidentiality, integrity, and availability of patient data and device functionality [1].

Mitigation

Roche has released firmware updates to address the issue: Accu-Chek Inform II version 03.06.00 or 04.03.00, CoaguChek Pro II version 04.03.00, CoaguChek XS Plus version 03.01.06, CoaguChek XS Pro version 03.01.06, and cobas h 232 version 03.01.03 or 04.00.04 (depending on serial number). Users should update to these versions or later [1]. As a workaround, limit network access to the devices and disable unnecessary services if possible [1].