Healthcare IT Security News

Critical Vulnerabilities Discovered in MesaLabs Lab Temperature Monitoring System

Jun 3, 2021
Murphy Miller

Stephen Yackey of Securifera discovered five vulnerabilities in the AmegaView continuous monitoring system of MesaLabs, which is employed in hospital labs, forensics laboratories, and biotech companies. Two vulnerabilities are categorized as critical command injection vulnerabilities assigned with CVSS severity scores of 9.9 and 10 out of 10. The vulnerabilities impact AmegaView Versions 3.0 and earlier versions.

The vulnerabilities are listed below in order of severity:

CVE-2021-27447 – CVSS 10/10 – Vulnerability as a result of incorrect neutralization of special elements employed in a command that could permit an attacker to implement arbitrary code.
CVE-2021-27449 – CVSS 9.9/10 – Vulnerability as a result of incorrect neutralization of special elements employed in a command that can permit an attacker to implement commands in the webserver.
CVE-2021-27445 – CVSS 7.8/10 – Insecure file permissions that an attacker could exploit to lift privileges on the gadget.
CVE-2021-27451 – CVSS 7.3/10 – Incorrect authentication because of the passcodes created by a quickly reversible algorithm that can permit an attacker to obtain device access.
CVE-2021-27453 – CVSS 7.3/10 – This is an authentication bypass problem that can permit an attacker to obtain access to the web app.

There are presently no public exploits, which specially target these flaws. Considering that AmegaView will get to its end-of-life in late this year, MesaLabs has decided not to create patches to fix the vulnerabilities. Rather, all end users of the vulnerable devices are instructed to get a newer Viewpoint software that works with AmegaView devices.

If this isn’t possible, or when it is, it is advised to identify vulnerable products protected by firewalls and to separate them from the system, and make sure they aren’t accessible from the web. In case remote access is necessary, Virtual Private Networks (VPNs) must be used for access, and VPNs ought to be updated to the latest version.

Before employing any new protective measures, an impact analysis and risk evaluation ought to be conducted.

Tags

Murphy Miller

Murphy Miller is the Editor of Healthcare IT Journal, a leading newspaper in the healthcare information technology. Murphy's work covers a variety of topics including healthcare information technology advancements, health policy and compliance, patient privacy and confidentialy, and the financial aspects of healthcare. As the editor of the Healthcare IT Journal, Murphy Miller provides straightforward, informative content to guide professionals and policymakers in the healthcare and IT fields.

Get the free newsletter

Discover everything you need to become HIPAA compliant

Critical Vulnerabilities Discovered in MesaLabs Lab Temperature Monitoring System

Tags

Murphy Miller

Get the free newsletter

Read Next

Cyberattacks Reported by UT Health Science Center and Jackson Medical Center

Data Breach Announced by Moffitt Cancer Center, Zuckerberg San Francisco General Hospital, Highmark and North Carolina Dental Practice

Senators Probe the 1 Million+ Record Data Breach the United Network for Organ Sharing

DOJ Consent Decree Restricts Philips From Selling Respiratory Machines

News

Get the free newsletter

Get the free newsletter