OTPulse
FeedAboutContact

i-SENS, Inc. SmartLog Diabetes Management Software

Plan Patch7.3ICS-CERT ICSMA-17-250-01Sep 7, 2017
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

An uncontrolled search path element vulnerability (CWE-428) exists in i-SENS SmartLog Diabetes Management Software versions prior to 2.4.0. The vulnerability allows a local attacker with user-level privileges to execute arbitrary code by injecting malicious libraries into the application's search path when a user interacts with the application. This could compromise patient data or disrupt clinical workflows. i-SENS has released version 2.4.1 to remediate this issue.

What this means
What could happen
An attacker with local access to a workstation running SmartLog could exploit a search path vulnerability to execute arbitrary code with the privileges of the logged-in user, potentially compromising patient data or disrupting diabetes management workflows in a clinical setting.
Who's at risk
Healthcare facilities and clinics using i-SENS SmartLog for diabetes patient management. This affects clinical staff workstations and any system where SmartLog is installed for managing patient glucose monitoring data and treatment records.
How it could be exploited
An attacker with local access to the system can exploit an uncontrolled search path element vulnerability (CWE-428) to inject a malicious library or executable into the application's search path. When SmartLog loads dependencies, it will execute the attacker's code instead of the legitimate library, giving the attacker control of the application process.
Prerequisites
  • Local access to the workstation running SmartLog
  • User must be logged into the system
  • User interaction required (application must be launched or a file opened)
Local exploitation requiredUser interaction requiredAffects healthcare data integrityCVSS 7.3 (high)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
SmartLog Diabetes Management Software - < 2.4.0< 2.4.02.4.1
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGRestrict local access to workstations running SmartLog through physical security controls and user account restrictions
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SmartLog Diabetes Management Software to version 2.4.1 or later
Long-term hardening
0/1
HARDENINGEducate staff on recognizing and avoiding email scams and social engineering attacks that could lead to malware installation
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/8a6de57f-79f4-46d8-af6d-535120ca9a09