Medical washer-disinfector appliance’s web server open to attack

Here’s a string of words that you probably never thought you’ll hear: An Internet-connected washer-disinfector appliance by German manufacturer Miele sports a vulnerable embedded web server.

The vulnerable device

The appliance in question – Miele Professional PG 8528 – is used in medical establishments to clean and thoroughly disinfect medical and laboratory instruments and glassware.

It has an RS 232 serial interface that facilitates the exchange of data with other appliances (e.g. for process documentation), and an Ethernet interface that enables cable-supported communication in the local network.

The vulnerability

“The corresponding embedded webserver ‘PST10 WebServer’ typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aid in subsequent attacks,” Jens Regel, IT security consultant at German consultancy Schneider & Wulf, explained.

He also published proof-of-concept exploit code for the flaw.

What now?

The vulnerability (CVE-2017-7240) is not critical, but that doesn’t mean that it can’t be dangerous or that it should not be fixed.

According to Regel, Miele has been notified of it, but has still not said when a fix can be expected or if it exists and it’s already being implemented.

Therefore, for the time being, disconnecting the device from the Internet is the best option for keeping it secure.