Vyaire Medical CareFusion Upgrade Utility Vulnerability

MonitorCVSS 6.7ICS-CERT ICSMA-18-037-01Feb 6, 2018

EnergyHealthcare

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

Vyaire Medical CareFusion Upgrade Utility v2.0.2.2 and earlier contain an uncontrolled search path element vulnerability (CWE-427) that allows local attackers to execute arbitrary code by placing a malicious library in the application's DLL search path. The vulnerability affects respiratory care and pulmonary function testing device management on Windows XP systems. Vyaire Medical recommends upgrading to Upgrade Utility v2.0.3.0, which requires Windows 7 or later. The older utility is no longer supported.

What this means

What could happen

An attacker with local access to a Windows system running the vulnerable Upgrade Utility could execute arbitrary code by placing a malicious library in the application's search path, potentially compromising control of respiratory care devices or associated medical equipment.

Who's at risk

Healthcare organizations and energy sector facilities using Vyaire Medical respiratory care devices (spirometers and pulmonary function testing equipment) managed through the CareFusion Upgrade Utility on Windows XP systems should prioritize this issue, as device firmware updates are critical for device functionality and safety.

How it could be exploited

An attacker with local access to the system can place a malicious library in a directory that the CareFusion Upgrade Utility searches during startup. When the utility runs—potentially with elevated privileges if triggered by an authorized user—the malicious library is loaded and executed, giving the attacker code execution on the system.

Prerequisites

Local access to the Windows system running CareFusion Upgrade Utility
User with sufficient privileges to place files in directories searched by the application
Ability to influence the user to launch the vulnerable Upgrade Utility

Local access requiredLow complexity attackPrivilege escalation possibleAffects medical device management systemsWindows XP end-of-life status increases overall risk

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

CareFusion Upgrade Utility used with Windows XP systems:≤ 2.0.2.2v2.0.3.0+ (available as Vyaire Upgrade Utility)

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict local file system access to the CareFusion Upgrade Utility directory to only authorized personnel and prevent unauthorized file placement

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade from CareFusion Upgrade Utility v2.0.2.2 to Vyaire Upgrade Utility v2.0.3.0

HOTFIXMigrate underlying operating system from Windows XP to Windows 7 or later to support the patched version

CVEs (1)

CVE-2018-5457

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1e1ab8ea-ed80-40a1-8d1e-6758e90362ea

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.