Siemens Healthineers Security Advisories

Web Vulnerabilities in syngo Dynamics before VA40G HF01

Publication Date: 2022-11-17
Last Update: 2022-11-17
Current Version: V1.0
CVSS v3.1 Base Score: 9.1

SUMMARY

Web services in the syngo Dynamics server before version VA40G HF01 are impacted by multiple vulnerabilities that could allow Man-in-the-Middle attacks, leaking NTLM credentials and to read/write data to the local file system.
Note: The vulnerable web services are not intended to be exposed to the Internet. The Internet facing Web Portal part of the syngo Dynamics is not affected by the vulnerabilities.
Siemens Healthineers has released an update for the syngo Dynamics and recommends to update to the latest version.

Affected Product and Versions

Remediation

syngo Dynamics:
All versions < VA40G HF01

Update to VA40G HF01 or later version
Contact your local Siemens Healthineers Customer
Service Engineer, portal or our Regional
Support Center. To find your local contact, please
refer to https://www.siemens-healthineers.com/how-can-we-help-you/
See further recommendations from section Workarounds and Mitigations

WORKAROUNDS AND MITIGATIONS

Siemens Healthineers has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

  • The web services should never be exposed to the Internet (except Web Portal layer)
  • Access to the application server should be limited to only those nodes that require syngo Dynamics functionality

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.


GENERAL SECURITY RECOMMENDATIONS

In addition, Siemens Healthineers recommends the following:

  • Ensure you have appropriate backups and system restoration procedures.
  • Securely delete any backup files that are no longer needed.
  • For specific patch and remediation guidance information contact your local Siemens Healthineers Customer Service Engineer, portal or our Regional Support Center. To find your local contact, please refer to https://www.siemens-healthineers.com/how-can-we-help-you

PRODUCT DESCRIPTION

syngo Dynamics Cardiovascular Imaging and Information System (CVIS) is used for the acceptance,
transfer, display, storage, archive and manipulation of digital medical images, as well as quantification
and report generation. syngo Dynamics also provides the ability to manage patient information, order
entry, workflow management and business analytics.


VULNERABILITY CLASSIFICATION

The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.
An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.

Vulnerability CVE-2022-42732
syngo Dynamics application server hosts a web service using an operation with improper read access
control that could allow files to be retrieved from any folder accessible to the account assigned to the
website’s application pool.
CVSS v3.1 Base Score 7.5
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
CWE CWE-73: External Control of File Name or Path


Vulnerability CVE-2022-42733
syngo Dynamics application server hosts a web service using an operation with improper read access
control that could allow files to be retrieved from any folder accessible to the account assigned to the
website’s application pool.
CVSS v3.1 Base Score 7.5
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
CWE CWE-73: External Control of File Name or Path


Vulnerability CVE-2022-42734
syngo Dynamics application server hosts a web service using an operation with improper write access
control that could allow to write data in any folder accessible to the account assigned to the website’s
application pool.
CVSS v3.1 Base Score 9.1
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
CWE CWE-73: External Control of File Name or Path


Vulnerability CVE-2022-42891
syngo Dynamics application server hosts a web service using an operation with improper write access
control that could allow to write data in any folder accessible to the account assigned to the website’s
application pool.
CVSS v3.1 Base Score 9.1
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
CWE CWE-73: External Control of File Name or Path


Vulnerability CVE-2022-42892
syngo Dynamics application server hosts a web service using an operation with improper write access
control that could allow directory listing in any folder accessible to the account assigned to the website’s
application pool.
CVSS v3.1 Base Score 9.1
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
CWE CWE-23: Relative Path Traversal


Vulnerability CVE-2022-42893
syngo Dynamics application server hosts a web service using an operation with improper write access
control that could allow to write data in any folder accessible to the account assigned to the website’s
application pool.
CVSS v3.1 Base Score 9.1
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
CWE CWE-73: External Control of File Name or Path


Vulnerability CVE-2022-42894
An unauthenticated Server-Side Request Forgery (SSRF) vulnerability was identified in one of the
web services exposed on the syngo Dynamics application that could allow for the leaking of NTLM
credentials as well as local service enumeration.
CVSS v3.1 Base Score 5.3
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
CWE CWE-918: Server-Side Request Forgery (SSRF)


ACKNOWLEDGMENTS

Siemens Healthineers thanks the following parties for their efforts:

  • Ryan Wincey from Securifera, Inc. for coordinated disclosure


ADDITIONAL INFORMATION

syngo Dynamics VA20 and older versions are past End of Support.

For further inquiries on security vulnerabilities in Siemens Healthineers products and solutions, please contact Siemens Healthineers using the following link: https://www.siemens-healthineers.com/cybersecurity


HISTORY DATA

V1.0 (2022-11-17): Publication Date


TERMS OF USE

Siemens Healthineers Security Advisories are subject to the terms and conditions contained in Siemens’ Healthineers underlying license terms or other applicable agreements previously agreed to with Siemens Healthineers (hereinafter "License Terms"). To the extent applicable to information, software or docu- mentation made available in or through a Siemens Healthineers Security Advisory, the Terms of Use of Siemens’ Healthineers Global Website (https://www.siemens-healthineers.com/terms-of-use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.