Siemens Healthineers Security Advisory

Deserialization Vulnerability in Healthcare Products
Publication Date: 2022-05-31
Last Update: 2022-06-09
Current Version: 1.0
CVSS v3.1 Base Score: 9.8

SUMMARY
A deserialization vulnerability is present in syngo which could allow an unauthenticated attacker to perform remote code execution under certain circumstances. Multiple Siemens Healthineers products use this platform and are affected by varying degrees.
Siemens Healthineers provides fixes for all affected versions and recommends specific countermeasures where fixes cannot be applied.

AFFECTED PRODUCTS AND SOLUTION

Affected Product and Versions

Remediation

Biograph Horizon PET/CT Systems:

All VJ30 versions < VJ30C-UD01

Update to VJ30C-UD01 or later version. This is
either remotely installed via SRS or contact your
local service representative

Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

MAGNETOM Family:

NUMARIS X: VA12M, VA12S, VA10B, VA20A,

VA30A, VA31A

Contact your local service representative
Allow network access to ports 32912/tcp and
32914/tcp for trusted clients only
This product can be installed/operated in “workstation
mode” where the client and server are
installed on the same system. For such setups
Siemens Healthineers recommends closing the
ports 32912/tcp and 32914/tcp on the server Windows
firewall for all inbound traffic
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

MAMMOMAT Revelation:

All VC20 versions < VC20D

Contact your local service representative to update
to VC20D or later version
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

NAEOTOM Alpha:

All VA40 versions < VA40 SP2

Contact your local service representative to update
to VA40 SP2 or later version
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

SOMATOM go.All:

All versions < VA30 SP5 or VA40 SP2

Contact your local service representative to update
to VA30 SP5, VA40 SP2 or a later version
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

SOMATOM go.Now:

All versions < VA30 SP5 or VA40 SP2

Contact your local service representative to update
to VA30 SP5, VA40 SP2 or a later version
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

SOMATOM go.Open Pro:

All versions < VA30 SP5 or VA40 SP2

Contact your local service representative to update
to VA30 SP5, VA40 SP2 or a later version
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

SOMATOM go.Sim:

All versions < VA30 SP5 or VA40 SP2

ontact your local service representative to update
to VA30 SP5, VA40 SP2 or a later version
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

SOMATOM go.Top:

All versions < VA30 SP5 or VA40 SP2

Contact your local service representative to update
to VA30 SP5, VA40 SP2 or a later version
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

SOMATOM go.Up:

All versions < VA30 SP5 or VA40 SP2

Contact your local service representative to update
to VA30 SP5, VA40 SP2 or a later version
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

SOMATOM X.cite:

All versions < VA30 SP5 or VA40 SP2

Contact your local service representative to update
to VA30 SP5, VA40 SP2 or a later version
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

SOMATOM X.creed:

All versions < VA30 SP5 or VA40 SP2

Contact your local service representative to update
to VA30 SP5, VA40 SP2 or a later version
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

Symbia E/S:

All VB22 versions < VB22A-UD03

Update to VB22A-UD03 or later version. This is
either remotely installed via SRS or contact your
local service representative
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

Symbia Evo:

All VB22 versions < VB22A-UD03

Update to VB22A-UD03 or later version. This is
either remotely installed via SRS or contact your
local service representative
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

Symbia Intevo:

All VB22 versions < VB22A-UD03

Update to VB22A-UD03 or later version. This is
either remotely installed via SRS or contact your
local service representative
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

Symbia T:

All VB22 versions < VB22A-UD03

Update to VB22A-UD03 or later version. This is
either remotely installed via SRS or contact your
local service representative
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

Symbia.net:

All VB22 versions < VB22A-UD03

Update to VB22A-UD03 or later version. This is
either remotely installed via SRS or contact your
local service representative
Due to product layout, the CVSS score is
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,
reducing the CVSS overall score to 8.8
See further recommendations from section
Workarounds and Mitigations

syngo.via VB10:

All versions

Update to VB40B HF06, VB60A HF02 or later version
Syngo.via can be installed/operated in “workstation
mode” where the client and server are installed
on the same system. For such setups
Siemens Healthineers recommends closing the
ports 32912/tcp and 32914/tcp on the server Windows
firewall for all inbound traffic
See further recommendations from section
Workarounds and Mitigations

syngo.via VB20:

All versions

Update to VB40B HF06, VB60A HF02 or later version
Syngo.via can be installed/operated in “workstation
mode” where the client and server are installed
on the same system. For such setups
Siemens Healthineers recommends closing the
ports 32912/tcp and 32914/tcp on the server Windows
firewall for all inbound traffic
See further recommendations from section
Workarounds and Mitigations

syngo.via VB30:

All versions

Update to VB40B HF06, VB60A HF02 or later version
Ensure the Whitelisting (WDAC) is activated on
the server
Syngo.via can be installed/operated in “workstation
mode” where the client and server are installed
on the same system. For such setups
Siemens Healthineers recommends closing the
ports 32912/tcp and 32914/tcp on the server Windows
firewall for all inbound traffic
See further recommendations from section
>Workarounds and Mitigations

syngo.via VB40:

All versions < VB40B HF06

Update to VB40B HF06, VB60A HF02 or later version
Ensure the Whitelisting (WDAC) is activated on
the server
Syngo.via can be installed/operated in “workstation
mode” where the client and server are installed
on the same system. For such setups
Siemens Healthineers recommends closing the
ports 32912/tcp and 32914/tcp on the server Windows
firewall for all inbound traffic
See further recommendations from section
Workarounds and Mitigations

syngo.via VB50:

All versions

Update to VB60A HF02 or later version
Ensure the Whitelisting (WDAC) is activated on
the server
Syngo.via can be installed/operated in “workstation
mode” where the client and server are installed
on the same system. For such setups
Siemens Healthineers recommends closing the
ports 32912/tcp and 32914/tcp on the server Windows
firewall for all inbound traffic
See further recommendations from section
Workarounds and Mitigations

syngo.via VB60:

All versions < VB60A HF02

Update to VB60A HF02 or later version
Ensure the Whitelisting (WDAC) is activated on
the server
Syngo.via can be installed/operated in “workstation
mode” where the client and server are installed
on the same system. For such setups
Siemens Healthineers recommends closing the
ports 32912/tcp and 32914/tcp on the server Windows
firewall for all inbound traffic
See further recommendations from section
Workarounds and Mitigations

WORKAROUNDS AND MITIGATIONS
Siemens Healthineers has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

  • If possible, block ports 32912/tcp and 32914/tcp on an external firewall
Product specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.


GENERAL SECURITY RECOMMENDATIONS
In addition, Siemens Healthineers generally recommends the following:

  • Ensure you have appropriate backups and system restoration procedures.
  • Securely delete any backup files that are no longer needed.
  • For specific patch and remediation guidance information contact your local Siemens Healthineers Customer Service Engineer, portal or our Regional Support Center. To find your local contact, please refer to https://www.siemens-healthineers.com/how-can-we-help-you.

PRODUCT DESCRIPTION
Siemens Healthineers Biograph Horizon PET/CT Systems are used in hospital environments for imaging. Siemens Healthineers MAGNETOM MRI Systems are used in hospital environments for imaging. Siemens Healthineers MAMMOMAT Revelation is a state-of-the-art digital mammography system for screening and diagnostics. Siemens Healthineers NAEOTOM Alpha is a photon-counting CT scanner. Siemens Healthineers SOMATOM CT devices are used in hospital environments for imaging. Siemens Healthineers Symbia is a family of SPECT, SPECT/CT and Post-Processing Workstation devices that are used in hospital environments for imaging. Siemens Healthineers syngo.via is a software solution intended to be used for viewing, manipulation, communication, and storage of medical images. It can be used as a stand-alone device or together with a variety of cleared and unmodified syngo based software options. syngo.via supports interpretation and evaluation of examinations within healthcare institutions, for example, in Radiology, Nuclear Medicine and Cardiology environments.

VULNERABILITY CLASSIFICATION
The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.


Vulnerability CVE-2022-29875
The application deserialises untrusted data without sufficient validations that could result in an arbitrary deserialization. This could allow an unauthenticated attacker to execute code in the affected system if ports 32912/tcp or 32914/tcp are reachable. CVSS v3.1 Base Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE CWE-502: Deserialization of Untrusted Data


ADDITIONAL INFORMATION
For further inquiries on security vulnerabilities in Siemens Healthineers products and solutions, please contact Siemens Healthineers using the following link: https://www.siemens-healthineers.com/cybersecurity.


HISTORY DATA
V1.0 (2022-05-31): Publication Date