Dräger Infinity Delta

Plan PatchCVSS 8.4ICS-CERT ICSMA-19-022-01Jan 22, 2019

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Dräger Infinity Delta, Delta XL, Kappa, and Infinity Explorer C700 patient monitors contain vulnerabilities in input validation, access controls, and log handling that allow local attackers to disclose sensitive device logs, trigger denial of service through device reboots, and escalate privileges. All versions of these products are affected. While Dräger released VF10.1 software updates in December 2018, patch availability and applicability depends on device age, firmware version, and hospital infrastructure.

What this means

What could happen

An attacker with local access to these patient monitors could read sensitive device logs (information disclosure), force the monitor to reboot (denial of service affecting patient monitoring), or gain higher system privileges to modify monitor behavior or settings.

Who's at risk

Healthcare facilities using Dräger Infinity Delta, Delta XL, Kappa, or Infinity Explorer C700 patient monitors in critical care units, operating rooms, and recovery areas. These devices are used for continuous vital sign monitoring; loss of monitor availability or integrity could directly impact patient safety decisions.

How it could be exploited

An attacker with physical or local network access to the device could exploit improper input validation (CWE-20) and insufficient access controls (CWE-269) to escalate privileges, access restricted logs containing sensitive information, or trigger a denial of service condition through device restart.

Prerequisites

Local access to the device or network segment where the monitor resides
No valid user credentials required for exploitation of privilege escalation or information disclosure vulnerabilities

No authentication required for exploitationAffects safety-critical medical devicesAll versions vulnerable (no safe version)No vendor patch planned (legacy medical equipment)

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Delta XL: all versionsAll versionsVF10.1

Kappa: all versionsAll versionsVF10.1

Infinity Delta: all versionsAll versionsVF10.1

Infinity Explorer C700: all versionsAll versionsVF10.1

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDContact Dräger through their regional marketing manager or Product Security team (https://static.draeger.com/security) to confirm patch availability and compatibility with your specific installation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate to Delta/Infinity Explorer VF10.1 software or later (released December 2018) via Dräger ServiceConnect

Long-term hardening

0/1

HARDENINGRestrict physical and network access to these patient monitors to authorized clinical staff only; isolate monitors on a protected hospital network segment away from general IT network

CVEs (3)

CVE-2018-19010 CVE-2018-19014 CVE-2018-19012

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e5e49082-1f92-46cb-a935-906eee312c9e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.