OTPulse
FeedAboutContact

Carestream Vue RIS

Low Risk3.7ICS-CERT ICSMA-18-277-01Oct 4, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

Carestream Vue RIS Client Build 11.2 and earlier on Windows 8.1 with IIS 7.5 contains a vulnerability that allows an attacker with network access to passively read unencrypted traffic. This could expose sensitive medical imaging data and patient information transmitted over the network. The vulnerability does not allow attackers to modify data or disrupt operations, only to eavesdrop on communications. Carestream has remediated the issue in current versions of the software.

What this means
What could happen
An attacker with network access to the system can passively read sensitive traffic, potentially exposing patient data or operational information in transit. This affects the confidentiality of data but does not allow modification or disruption of operations.
Who's at risk
Healthcare facilities and transportation organizations using Carestream Vue RIS Client on Windows 8.1 systems should care about this vulnerability. It affects the confidentiality of radiological image data and associated clinical information transmitted between the RIS client workstations and the central system.
How it could be exploited
An attacker on the network segment with the affected RIS Client system can passively capture and read unencrypted network traffic between the client and server. This is a passive eavesdropping attack requiring no active manipulation of traffic.
Prerequisites
  • Network access to the same network segment as the affected RIS Client
  • Windows 8.1 system with IIS 7.5 running RIS Client Build 11.2 or earlier
  • No authentication credentials required for passive traffic capture
remotely exploitableno authentication requiredaffects healthcare data confidentialityno patch available for legacy versions
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
RIS Client Builds:≤ 11.2 on Windows 8.1 with IIS 7.5current version (specific version number not provided in advisory)
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDContact Carestream Support at https://eservice.carestream.com for detailed mitigation guidance specific to your deployment
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade RIS Client to a current version beyond 11.2 that includes the vulnerability remediation
Long-term hardening
0/2
HARDENINGImplement network segmentation to isolate the RIS Client system on a dedicated VLAN with access controls restricting which users and devices can connect to it
HARDENINGDeploy encrypted VPN or SSL/TLS inspection at the network edge to protect traffic between RIS Client and backend systems from passive eavesdropping
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/97ee7d6c-64f4-49dd-82f4-887dfd5dee63
Carestream Vue RIS | CVSS 3.7 - OTPulse