Medic! Uncle Sam warns hospitals not to use outdated IPnet freely on their networks

The US Food and Drug Administration is warning hospital IT admins to keep a close eye on their networks following the discovery of security vulnerabilities in a relatively obscure and dated TCP/IP stack – IPnet – used in embedded devices.

The flaws, mostly buffer overflows and memory in various components of IPnet, can be potentially exploited by miscreants to remotely take control of equipment, in this case medical implants and the base stations that manage them.

IPnet was acquired by Wind River when it gobbled up Interpeak in 2006, though the software has been licensed to loads of vendors. As such, the wonky code is present in some editions of Wind River’s VxWorks, Microsoft’s ThreadX Operating System, Embedded from ENEA, Greenhills' INTEGRITY, TRON’s ITRON, and ZebOS from IP Infusion, all of which are used in medical systems among other specialist gear.

While the vulnerabilities, known collectively as Urgent/11, have been known of since July when Wind River issued a bulletin about IPnet, security teams have recently found that the flaws are more widespread than first believed, and could be present on any device that uses the stack for networking.

"Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support," the US FDA explains.

"Therefore, the software may be incorporated into other software applications, equipment, and systems which may be used in a variety of medical and industrial devices that are still in use today."

Obviously, the risk from these flaws would depend on the use case, but few medical implants, if any, would be directly vulnerable. Rather, the communications between controller base stations and home servers or the hospital's own LAN would be more likely to be exposed.

The FDA is advising IT admins to keep a close eye on their networks for signs of exploitation of Urgent/11 holes, and make sure to lock down their firewalls and VPN setups. Manufacturers, meanwhile, are being advised to take a close look at their products and patch or replace anything that uses the dated IPnet stack.

Ransomware attack leaves patients out in the cold

Of more immediate worry for patients and doctors is the report out of Alabama that three hospitals in the state are shutting down some of their operations in the midst of an ongoing ransomware attack.

DCH Health System says that its hospitals in Tuscaloosa, Northport, and Fayette would all be turning away non-critical patients for the forseeable future as works to clean up the attack.

"While the attack has impacted DCH’s ability to accept new patients, we are still able to provide critical medical services to those who need it," the hospital chain said.

"Patients who have non-emergency medical needs are encouraged to seek assistance from other providers while DCH works to restore its systems."

No estimate was given for when the hospital might be back online and taking in new patients. ®