Multiple Roche Point of Care Handheld Medical Services Multiple Security Vulnerabilities

Bugtraq ID:	105843
Class:	Design Error
CVE:	CVE-2018-18561 CVE-2018-18562 CVE-2018-18563 CVE-2018-18564 CVE-2018-18565
Remote:	Yes
Local:	No
Published:	Nov 06 2018 12:00AM
Updated:	Nov 06 2018 12:00AM
Credit:	Niv Yehezkel of Medigate
Vulnerable:	Roche cobas h 232 0 Roche CoaguChek XS Pro 0 Roche CoaguChek XS Plus 0 Roche CoaguChek Pro II 0 Roche CoaguChek 0 Roche Accu-Chek Inform II Instrument 0
Not Vulnerable:	Roche cobas h 232 4.0.4 Roche cobas h 232 3.1.4 Roche cobas h 232 3.1.3 Roche CoaguChek XS Pro 3.1.6 Roche CoaguChek XS Plus 3.1.6 Roche CoaguChek Pro II 4.3 Roche CoaguChek 3.1.4 Roche Accu-Chek Inform II Instrument 3.6

Multiple Roche Point of Care Handheld Medical Services Multiple Security Vulnerabilities

Multiple Roche Point of Care Handheld Medical Services are prone to the following security vulnerabilities:

1. An authentication bypass vulnerability
2. An OS command-injection vulnerability
3. An arbitrary file-upload vulnerability
4. A remote code-execution vulnerability
5. An access bypass vulnerability

An attacker can exploit these issues to bypass authentication mechanism, execute arbitrary commands and codes, upload arbitrary files, or to bypass security restrictions.

Multiple Roche Point of Care Handheld Medical Services Multiple Security Vulnerabilities

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Multiple Roche Point of Care Handheld Medical Services Multiple Security Vulnerabilities

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Multiple Roche Point of Care Handheld Medical Services Multiple Security Vulnerabilities

References:

• Roche Homepage (Roche)
  
• ICSMA-18-310-01 Roche Point of Care Handheld Medical Devices (CERT)