CVE-2021-37160
📋 TL;DR
CVE-2021-37160 is a critical firmware validation bypass vulnerability in Swisslog Healthcare Nexus Panel HMI3 Control Panel. It allows attackers to upload malicious firmware without cryptographic signature validation, potentially gaining complete control of medical device control systems. This affects Swisslog Healthcare Nexus Panel systems running software versions before Nexus Software 7.2.5.7.
💻 Affected Systems
- Swisslog Healthcare Nexus Panel HMI3 Control Panel
📦 What is this software?
Hmi 3 Control Panel Firmware by Swisslog Healthcare
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of medical device control systems allowing unauthorized firmware installation, potential disruption of hospital operations, manipulation of medical device functionality, and patient safety risks.
Likely Case
Unauthorized access to control systems, potential data exfiltration, and disruption of medical device operations in healthcare environments.
If Mitigated
Limited impact with proper network segmentation and access controls, though the vulnerability remains present in unpatched systems.
🎯 Exploit Status
The PwnedPiper research demonstrates weaponized exploitation chains. Attackers can upload malicious firmware without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Nexus Software 7.2.5.7 and later
Vendor Advisory: https://www.swisslog-healthcare.com/en-us/customer-care/security-information/cve-disclosures
Restart Required: Yes
Instructions:
1. Contact Swisslog Healthcare for patch availability 2. Schedule maintenance window 3. Apply Nexus Software 7.2.5.7 update 4. Verify firmware validation is enabled 5. Restart affected systems
🔧 Temporary Workarounds
Network Segmentation
allIsolate Nexus Panel systems from general network access and restrict to necessary communication only
Access Control Lists
allImplement strict firewall rules to limit access to Nexus Panel management interfaces
🧯 If You Can't Patch
- Segment affected systems on isolated VLANs with strict access controls
- Monitor for unauthorized firmware upload attempts and network traffic to/from Nexus Panels
🔍 How to Verify
Check if Vulnerable:
Check Nexus Panel software version via device interface or management console. Versions before 7.2.5.7 are vulnerable.Check Version:
Check via Nexus Panel web interface or contact Swisslog Healthcare for version verification toolsVerify Fix Applied:
Verify software version is 7.2.5.7 or later and attempt firmware upload validation test.📡 Detection & Monitoring
Log Indicators:
- Unauthorized firmware upload attempts
- Unexpected firmware update events
- Authentication bypass attempts
Network Indicators:
- Unexpected connections to Nexus Panel management ports
- Firmware upload traffic from unauthorized sources
SIEM Query:
source_ip=* AND dest_port=(management_port) AND protocol=HTTP AND uri_contains="firmware" OR "upload"🔗 References
- https://www.armis.com/PwnedPiper
- https://www.swisslog-healthcare.com
- https://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37160-bulletin---no-firmware-update-validation.pdf?rev=c7f94647037c4007992e2e626d445561&hash=E89531490070A809FB74994018BA1248
- https://www.swisslog-healthcare.com/en-us/customer-care/security-information/cve-disclosures#:~:text=CVE%20Disclosures%20%20%20%20Vulnerability%20Name%20%2C%20%20CVE-2021-37164%20%204%20more%20rows%20
- https://www.armis.com/PwnedPiper
- https://www.swisslog-healthcare.com
- https://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37160-bulletin---no-firmware-update-validation.pdf?rev=c7f94647037c4007992e2e626d445561&hash=E89531490070A809FB74994018BA1248
- https://www.swisslog-healthcare.com/en-us/customer-care/security-information/cve-disclosures#:~:text=CVE%20Disclosures%20%20%20%20Vulnerability%20Name%20%2C%20%20CVE-2021-37164%20%204%20more%20rows%20
