CVE-2018-18564

Vulnerability

An improper access control vulnerability exists in Roche Accu-Chek Inform II (versions before 03.06.00 for serial numbers below 14000, and before 04.03.00 for serial numbers above 14000), CoaguChek Pro II (versions before 04.03.00), and cobas h 232 (versions before 04.00.04 for serial numbers above KQ0400000 or KS0400000). This issue allows attackers in the adjacent network to change the instrument configuration without proper authorization [1].

Exploitation

An attacker with network access to the adjacent network can exploit this vulnerability by sending crafted requests to the affected device. No authentication is required, and the attack complexity is low. The attacker can directly modify configuration settings of the instrument [1].

Impact

Successful exploitation enables the attacker to alter the device's configuration, which could lead to incorrect device operation or further compromise of the device's functionality. This may affect the accuracy of medical results or allow additional malicious actions [1].

Mitigation

Roche has released software updates to address this vulnerability: Accu-Chek Inform II base units should be updated to version 03.06.00 (serial below 14000) or 04.03.00 (serial above 14000); CoaguChek Pro II to version 04.03.00; and cobas h 232 to version 04.00.04. Accu-Chek Inform II Base Unit Light and Base Unit NEW with software 04.00.00 or newer are not affected. Users should contact Roche Diagnostics for the latest updates [1].