Feds Warn Well being Sector to Patch Apache Tomcat Flaws
Cybercrime
,
Fraud Management & Cybercrime
,
Governance & Risk Management
Healthcare Sector Closely Depends on Open-Supply Internet Server; Older Flaws Pose Threat
Federal authorities are alerting healthcare and public health sector entities of vulnerabilities that put Apache Tomcat at risk for attacks if left unmitigated. The healthcare sector heavily relies on the open-source web server, which is maintained by the nonprofit Apache Corp., for hosting electronic health records and an array of other systems and applications.
See Also: Live Webinar | Building a More Resilient Healthcare Enterprise and Ecosystem
The Division of Well being and Human Companies’ Well being Sector Cybersecurity Coordination Middle in an alert Wednesday said vulnerabilities in Tomcat are continuously being found that may make it open to exploitation by cyberattack.
“As a result of its performance, it’s often uncovered on to the web, making it accessible to numerous risk actors,” HHS HC3 stated.
“It’s usually used for internet hosting EHR methods, working well being info trade methods, internet hosting laboratory info administration methods, internet hosting and working customized healthcare purposes, and supporting telemedicine purposes, amongst different features,” the alert says. “As a result of Tomcat is so continuously deployed, it has attracted the eye of risk actors,” HHS HC3 warns.
Tomcat vulnerabilities have been round for years however are sometimes uncared for by healthcare organizations, leaving these them in danger, stated some consultants.
“Tomcat is battle-hardened software program with huge utilization. It’s been some time since a serious Tomcat vulnerability was introduced; the HHS HC3 Tomcat alert that got here out this week primarily focuses on notable historic vulnerabilities which have been printed over the past 5 to 10 years, not current developments,” stated Ryan Emmons, lead safety researcher at safety agency Rapid7.
“It is more and more frequent for brand new zero-day vulnerabilities to be weaponized towards organizations, however exploitation of older CVEs remains to be a way more frequent prevalence,” he stated.
Recognized vulnerabilities are continuously leveraged by risk actors in an automatic trend, he stated. “For big organizations fighting visibility of their property, these older Tomcat vulnerabilities can persist for months and even years, driving elevated threat of safety incidents – significantly when the assault floor space is internet-facing.”
The HHS HC3 alert lists greater than a dozen “historic” vulnerabilities in Tomcat Apache that healthcare group “ought to” have already patched. But when not, these vulnerabilities proceed to be open to assaults.
Widespread historic vulnerabilities in Tomcat usually contain distant code execution, info disclosure, cross-site scripting, denial of service, insecure deserialization, safety misconfiguration, session fixation, and listing traversal, HHS HC3 stated.
“Many risk actors are after low-hanging fruit. Forgotten Tomcat servers from 2013 on the general public web are precisely the kind of factor attackers are hoping to seek out,” Emmons stated.
A lot of the current notable Tomcat vulnerabilities lead to denial-of-service circumstances, which lead to downtime for focused purposes, he stated.
“Nonetheless, exploitation of extra extreme older code execution vulnerabilities, corresponding to CVE-2017-12617 or CVE-2019-0232, may end up in an attacker with the ability to run any program they need on the sufferer laptop. From there, attackers can pillage knowledge from the Tomcat system’s databases and try to maneuver laterally into different methods on healthcare networks.
“The easiest way to defend Tomcat is with good safety hygiene: Know your property, patch them routinely, implement robust passwords for Tomcat administration interfaces, and restrict the publicity of methods the place doable,” Emmons stated.