CVE-2018-4846
📋 TL;DR
This CVE describes a critical vulnerability in Siemens Healthineers medical laboratory systems where a factory account with hardcoded credentials allows unauthenticated remote access via VNC port 5900/tcp. Attackers can gain complete control of affected devices without user interaction, compromising patient data confidentiality, system integrity, and device availability. The vulnerability affects RAPIDLab 1200, RAPIDPoint 400, and RAPIDPoint 500 systems across multiple versions.
💻 Affected Systems
- RAPIDLab 1200 systems
- RAPIDPoint 400 systems
- RAPIDPoint 500 systems
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to manipulate test results, steal sensitive patient data, disrupt laboratory operations, or use the device as a pivot point into hospital networks.
Likely Case
Unauthorized access to device configuration, potential data exfiltration, and disruption of laboratory testing operations.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to port 5900/tcp.
🎯 Exploit Status
Exploitation requires only knowledge of hardcoded credentials and network access to port 5900/tcp. No public exploits known at advisory publication, but trivial to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V3.3 for RAPIDLab 1200 Series with Informatics products; other systems require specific updates per advisory
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-755010.pdf
Restart Required: Yes
Instructions:
1. Consult Siemens Healthineers advisory SSA-755010 for specific patch versions. 2. Apply appropriate firmware updates for your specific system configuration. 3. Restart affected devices after patching. 4. Verify patch application through version checks.
🔧 Temporary Workarounds
Network Segmentation and Access Control
allBlock external and internal access to port 5900/tcp on affected devices using firewalls and network segmentation.
# Example firewall rule to block port 5900
iptables -A INPUT -p tcp --dport 5900 -j DROP
VNC Service Disablement
allDisable VNC service on affected devices if not required for operations.
# Consult Siemens documentation for service disablement procedures
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected devices from untrusted networks
- Deploy network monitoring and intrusion detection for port 5900 access attempts
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against affected versions in Siemens advisory SSA-755010. Test if VNC port 5900 is accessible and responds to connection attempts.Check Version:
# Consult Siemens device documentation for version check procedures specific to each device modelVerify Fix Applied:
Verify firmware version is updated to patched version. Test that VNC port 5900 no longer accepts connections with hardcoded credentials.📡 Detection & Monitoring
Log Indicators:
- Failed or successful authentication attempts on port 5900
- Unexpected VNC connection logs
- Configuration changes without authorized maintenance
Network Indicators:
- Outbound connections from medical devices to unexpected destinations
- Port scanning activity targeting port 5900
- VNC protocol traffic to/from medical devices
SIEM Query:
source_port:5900 OR dest_port:5900 AND (device_type:medical OR device_vendor:Siemens)