Siemens Healthineers and the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) have issued security advisories regarding security vulnerabilities in the vendor's molecular imaging products running on Windows XP or Windows 7.
The affected products include all Windows XP or Windows 7-based versions of its PET/CT, SPECT/CT, and SPECT systems, as well as the company's SPECT Workplaces/Symbia.net workstation, according to the advisories. Siemens has identified two vulnerabilities in products running Windows XP and four vulnerabilities on Windows 7-based versions that could be exploited remotely.
Successful exploitation of these vulnerabilities may allow an attacker to remotely execute arbitrary code, according to the August 3 ICS-CERT advisory for Windows XP-based systems and advisory for Windows 7-based systems. Exploits that target the Windows 7 vulnerabilities are known to be publicly available.
Siemens said it is preparing updates for the affected products. It also recommends protecting access to the systems using appropriate mechanisms and advises that these devices be run in a dedicated network segment and protected IT environment. If that isn't possible, Siemens recommends the following:
- If patient safety and treatment are not at risk, disconnect the product from the network and use in standalone mode.
- Reconnect the product only after the provided patch or remediation is installed on the system. Siemens is able to patch systems capable of remote update handling (RUH) much faster by remote software distribution compared with onsite visits. Therefore, users of RUH-capable equipment are recommended to clarify the situation concerning patch availability and remaining risk in the local customer network with the Siemens Customer Care Center first and then reconnect the systems to receive patches as quickly as possible via RUH. This ensures smooth and fast receipt of updates and, therefore, supports re-establishment of system operations.
Siemens also recommends that users have appropriate backups and system restoration procedures in place. Specific patch and remediation guidance information can be obtained by contacting a local Siemens customer service engineer or a Siemens regional support center. The company's security advisory for Windows XP-based systems can be found here, while the advisory for Windows 7-based versions can be found here.