Spacelabs Xhibit Telemetry Receiver (XTR)
Act Now9.8ICS-CERT ICSMA-20-049-01Feb 18, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A remote code execution vulnerability (BlueKeep/CVE-2019-0708) exists in the Remote Desktop Protocol (RDP) service used by Windows operating systems and the Xhibit Telemetry Receiver (XTR). An attacker can exploit this vulnerability without authentication to execute arbitrary code on the affected system. The vulnerability impacts Windows 2000, XP, Vista, 2003, 2003 R2, 2008, 2008 R2, and 7, as well as XTR Model 96280 v1.0.2 and Arkon (99999) appliances. Spacelabs recommends updating XTR to v1.2.1 or later. Microsoft has released patches for affected Windows versions.
What this means
What could happen
An attacker can remotely execute arbitrary code on an XTR device or Windows system without authentication, potentially taking control of the telemetry receiver and disrupting patient monitoring data flow in healthcare facilities.
Who's at risk
Healthcare facilities using Spacelabs Xhibit Telemetry Receiver (XTR) devices for patient monitoring, and any organization running legacy Windows servers (Windows 2000, XP, 2003, Vista, 2008, or 7) with RDP enabled. Critical concern for hospitals and clinics that depend on continuous telemetry data collection.
How it could be exploited
The attacker targets the Remote Desktop Protocol (RDP) service running on the XTR appliance or its underlying Windows OS over the network. By sending a specially crafted RDP packet, the attacker can trigger a memory corruption flaw that allows code execution without needing valid credentials or user interaction.
Prerequisites
- Network access to RDP port 3389 on the XTR device or Windows system
- RDP service enabled and reachable from the attacker's network location
- No authentication required
Remotely exploitableNo authentication requiredLow complexity attackActively exploited (KEV)Very high EPSS score (94.5%)Affects medical device (patient monitoring)Legacy Windows OS with no vendor supportXTR v1.0.2 has no patch available
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (10)
1 pending9 EOL
ProductAffected VersionsFix Status
Xhibit Telemetry Receiver (XTR) Model number 96280: v1.0.21.0.2No fix yet
Windows Server 2003: all Service Pack versionsAll versionsNo fix (EOL)
Windows XP: all Service Pack versionsAll versionsNo fix (EOL)
Windows Server 2008: all Service Pack versionsAll versionsNo fix (EOL)
Windows 2000: all Service Pack versionsAll versionsNo fix (EOL)
Windows 7: all Service Pack versionsAll versionsNo fix (EOL)
Windows Vista: all Service Pack versionsAll versionsNo fix (EOL)
Windows Server 2003 R2: all Service Pack versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/5Xhibit Telemetry Receiver (XTR) Model number 96280: v1.0.2
HOTFIXUpdate Xhibit Telemetry Receiver (XTR) to firmware version 1.2.1 or later
HOTFIXContact Spacelabs technical support (1-800-522-7025, option 2) to coordinate XTR firmware updates and verify installed version
All products
HOTFIXApply Microsoft security patches for CVE-2019-0708 (BlueKeep) to all affected Windows systems
WORKAROUNDRestrict network access to RDP port 3389 using firewall rules; allow only from trusted engineering and management networks
WORKAROUNDDisable RDP on systems where it is not operationally necessary
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/55045502-43f2-4189-8e04-aa17606de300