BeaconMedaes TotalAlert Scroll Medical Air Systems

Plan PatchCVSS 7.5ICS-CERT ICSMA-18-144-01May 24, 2018

Healthcare

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

BeaconMedaes TotalAlert Scroll Medical Air Systems running version 4107600010.23 and earlier contain access control and sensitive data exposure vulnerabilities (CWE-284, CWE-522). An attacker with network access could view and potentially modify device information and web application setup. The vendor confirms that patient health information and medical air delivery compliance with NFPA 99 standards are not compromised. A vendor update (version 4107600010.24) has been released to address these vulnerabilities.

What this means

What could happen

An attacker could view and modify device configuration and web application settings on medical air systems. The vendor confirms that patient data and the ability to deliver medical air remain unaffected.

Who's at risk

Healthcare facilities operating BeaconMedaes TotalAlert Scroll Medical Air Systems should prioritize patching. This affects critical gas delivery infrastructure in hospitals and clinics. Medical gas technicians and biomedical engineering teams managing these systems are responsible for remediation.

How it could be exploited

An attacker with network access to the TotalAlert Scroll system (no authentication required) can read and modify device information and web application setup parameters through the exposed interface. This could allow tampering with system configuration, though actual medical air delivery capability is protected.

Prerequisites

Network access to the TotalAlert Scroll Medical Air System
No credentials required

remotely exploitableno authentication requiredlow complexityaffects medical infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

TotalAlert Scroll Medical Air Systems: running software≤ 4107600010.234107600010.24

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGIsolate medical air system network from business network using firewall segmentation and ensure device is not Internet-accessible.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TotalAlert Scroll Medical Air Systems to version 4107600010.24 or latest release. Contact BeaconMedaes directly at 1-888-4MEDGAS (463-3427) to obtain the update.

Long-term hardening

0/1

HARDENINGIf remote access is required, use secure methods such as VPN and keep VPN software updated to current version.

CVEs (2)

CVE-2018-7518 CVE-2018-7510

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0c52c813-8036-4244-9837-59099a253a24

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.