CVE-2021-37165 – A buffer overflow vulnerability in Swisslog Hea... (How to Fix)

Q: What is the severity of CVE-2021-37165?

CVE-2021-37165 has a CVSS score of 9.8 (CRITICAL). A buffer overflow vulnerability in Swisslog Healthcare Nexus Panel's HMI3 Control Panel allows remote attackers to execute arbitrary code by sending specially crafted messages to the HMI TCP socket. This affects Swisslog Healthcare Nexus Panel systems running software versions before Nexus Software 7.2.5.7. The vulnerability can lead to complete system compromise.

📋 TL;DR

A buffer overflow vulnerability in Swisslog Healthcare Nexus Panel's HMI3 Control Panel allows remote attackers to execute arbitrary code by sending specially crafted messages to the HMI TCP socket. This affects Swisslog Healthcare Nexus Panel systems running software versions before Nexus Software 7.2.5.7. The vulnerability can lead to complete system compromise.

💻 Affected Systems

Products:

Swisslog Healthcare Nexus Panel

Versions: All versions before Nexus Software 7.2.5.7

Operating Systems: Proprietary HMI3 Control Panel OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the HMI3 Control Panel component specifically. The vulnerability is in the hmiProcessMsg function when processing messages from the HMI TCP socket.

📦 What is this software?

Hmi 3 Control Panel Firmware by Swisslog Healthcare

View all CVEs affecting Hmi 3 Control Panel Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains full control of the medical device system, potentially disrupting hospital operations, compromising patient data, or manipulating medical equipment functionality.

🟠

Likely Case

Attackers exploit the vulnerability to install malware, establish persistence, and move laterally within hospital networks to access sensitive medical systems and data.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the specific vulnerable device, preventing lateral movement to critical medical systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The PwnedPiper research by Armis includes detailed exploitation techniques and demonstrates remote code execution capabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Nexus Software 7.2.5.7 or later

Vendor Advisory: https://www.swisslog-healthcare.com/en-us/customer-care/security-information/cve-disclosures

Restart Required: Yes

Instructions:

1. Contact Swisslog Healthcare support for the patch. 2. Schedule maintenance window. 3. Apply Nexus Software update to version 7.2.5.7 or later. 4. Restart the system as required. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Nexus Panel systems from general hospital networks and restrict access to HMI TCP socket (port 5001 typically)

Firewall Rules

all

Block external access to Nexus Panel systems and restrict internal access to authorized management stations only

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems from critical medical networks
Deploy intrusion detection systems to monitor for exploitation attempts on the HMI TCP socket

🔍 How to Verify

Check if Vulnerable:

Check the software version on the Nexus Panel interface. If version is below 7.2.5.7, the system is vulnerable.

Check Version:

Check the software version through the Nexus Panel administrative interface or contact Swisslog Healthcare support for version verification.

Verify Fix Applied:

Verify the software version shows 7.2.5.7 or higher after applying the patch.

📡 Detection & Monitoring

Log Indicators:

Unusual network connections to port 5001
Multiple failed connection attempts to HMI socket
Unexpected process creation on Nexus Panel

Network Indicators:

Unusual traffic patterns to/from Nexus Panel systems
Exploit-like payloads sent to port 5001
Unexpected outbound connections from Nexus Panel

SIEM Query:

source_ip="*" AND dest_port=5001 AND (payload_size>normal OR pattern="buffer_overflow_indicators")

📊 Metadata

CVE ID: CVE-2021-37165

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: August 2, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37165, you might also want to check these: