CVE-2018-18565

Vulnerability

An issue was discovered in the software update mechanism of several Roche Diagnostics point-of-care handheld medical devices. The vulnerability allows authenticated attackers in the adjacent network to overwrite arbitrary files on the system through a crafted update package. Affected devices include Accu-Chek Inform II (before 03.06.00 for serial numbers below 14000, and before 04.03.00 for serial numbers above 14000), CoaguChek Pro II (before 04.03.00), CoaguChek XS Plus and XS Pro (both before 03.01.06), and cobas h 232 (before 03.01.03 for serial numbers below KQ0400000 or KS0400000, and before 04.00.04 for serial numbers above those)[1].

Exploitation

An attacker must be authenticated and have adjacent network access to the targeted device. The attacker then crafts a malicious update package that exploits the insufficient verification in the update mechanism. By delivering this package to the device (e.g., through a service interface), the attacker can overwrite arbitrary files on the system[1].

Impact

Successful exploitation allows an attacker to overwrite arbitrary files, which could lead to modification of system settings or execution of arbitrary code. The attacker gains unauthorized access to the device, potentially compromising its integrity and availability. The exact privileges obtained depend on the files overwritten, but the attack originates from an authenticated session[1].

Mitigation

Roche has released software updates to address this vulnerability. Users should update to the fixed versions: Accu-Chek Inform II to 03.06.00 or 04.03.00 depending on serial number; CoaguChek Pro II to 04.03.00; CoaguChek XS Plus and XS Pro to 03.01.06; and cobas h 232 to 03.01.03 or 04.00.04 depending on serial number. Refer to the CISA advisory (ICSMA-18-310-01) for additional details[1].