Stephen Yackey of Securifera discovered five vulnerabilities in the AmegaView continuous monitoring system of MesaLabs, which is employed in hospital labs, forensics laboratories, and biotech companies. Two vulnerabilities are categorized as critical command injection vulnerabilities assigned with CVSS severity scores of 9.9 and 10 out of 10. The vulnerabilities impact AmegaView Versions 3.0 and earlier versions.
The vulnerabilities are listed below in order of severity:
- CVE-2021-27447 – CVSS 10/10 – Vulnerability as a result of incorrect neutralization of special elements employed in a command that could permit an attacker to implement arbitrary code.
- CVE-2021-27449 – CVSS 9.9/10 – Vulnerability as a result of incorrect neutralization of special elements employed in a command that can permit an attacker to implement commands in the webserver.
- CVE-2021-27445 – CVSS 7.8/10 – Insecure file permissions that an attacker could exploit to lift privileges on the gadget.
- CVE-2021-27451 – CVSS 7.3/10 – Incorrect authentication because of the passcodes created by a quickly reversible algorithm that can permit an attacker to obtain device access.
- CVE-2021-27453 – CVSS 7.3/10 – This is an authentication bypass problem that can permit an attacker to obtain access to the web app.
There are presently no public exploits, which specially target these flaws. Considering that AmegaView will get to its end-of-life in late this year, MesaLabs has decided not to create patches to fix the vulnerabilities. Rather, all end users of the vulnerable devices are instructed to get a newer Viewpoint software that works with AmegaView devices.
If this isn’t possible, or when it is, it is advised to identify vulnerable products protected by firewalls and to separate them from the system, and make sure they aren’t accessible from the web. In case remote access is necessary, Virtual Private Networks (VPNs) must be used for access, and VPNs ought to be updated to the latest version.
Before employing any new protective measures, an impact analysis and risk evaluation ought to be conducted.