German appliance maker Miele is reaching out to customers of its networked medical dishwashers to install patch for a path reversal flaw in the model's web server.
The flaw, which resides in several PG 85 series dishwashers' web server, requires a Miele technician to install the patch, according to an advisory today by the US Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team (ICS-CERT).
"Miele Professional issued patches for this vulnerability on May 4, 2017. Miele Professional is in the process of contacting all affected users via registered mail," the advisory notes.
"Users of affected machines can contact Miele Professional at 1-800-991-9380 to schedule service for a software update, which must be performed by a Miele Professional technician."
The flaw affects 12 versions of four PG 85 Series models, including the PG8527, PG8528, PG8538, and PG8536.
Patching appears to be urgent. ICS-CERT notes the flaw is “remotely exploitable” and requires “low skill level to exploit”. Additionally, public exploits are available. The bug, tagged as CVE-2017-7240, has a "high" CVSS v3 base score of 7.3 out of a possible 10.
Miele was notified of the bug in November last year by security consultant Jens Regel, but the firm ignored the report until Regel published the bug and proof of concept exploit code on March 24, which was then picked up by media. He had actually made contact with a Miele representative in November, but the firm never followed up.
As detailed in Miele’s PG 85 product brochure, these “new generation” lab dishwashers have an optional Ethernet module, and can be connected directly to a PC, or to a local network. The feature allows data from the dishwasher to be transferred to a PC for reporting.
After Regel’s disclosure, Miele issued a press release denying reports that its dishwashers were a “gateway for hackers”, and clarified that only an attacker on the same network could access read-out data from the machine.
“With this data, hackers could possibly be successful in cracking passwords in order to obtain further access to machine software… Furthermore, the abuse of machine data would neither facilitate access to third-party data nor to other machines or processes in the user's network,” it said.
Regel agreed with this assessment, but told Motherboard, that hackers could infect a dishwasher and from there compromise PCs on the same network.
For these reasons, Miele rated the bug as being "moderately serious". It said it was aiming to have patches uploaded to its website within weeks.
Miele however admitted it was a “serious shortcoming” in failing to respond to Regel’s notifications and thanked the researcher for his efforts. The company does not offer a bounty to security researchers who report bugs.
According to Miele, it’s sold 5,800 of the affected dishwashers since their introduction in 2007.