NEWS
X41 D-Sec GmbH Security Advisory: x41-2024-004-Medico
Missing Transport Security for Medico Classic Application Server Connections
Severity Rating: High
Vector: MitM on local network
CVE: Requested by vendor
CWE: 319
CVSS Score: 7.1
CVSS Vector: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Affected Version: CGM Medico below 29.01.02.01
Patched Versions: CGM Medico 29.01.02.01 and above (according to vendor)
Vendor: CGM Clinical Europe GmbH
Vendor URL: https://www.cgm.com/deu_de/produkte/krankenhaus/cgm-medico.html
Credit: X41 D-Sec GmbH, Luc Gommans and Niklas Abel
Status: Public
Advisory URL: https://www.x41-dsec.de/lab/advisories/x41-2024-004-medico/
Summary and Impact
The CGM MEDICO hospital information system (KIS) does not use transport encryption to secure its classic application server (dnet) connections by default. The classic application server sends Visual Basic scripts, PDF files, and other data used by MEDICO clients. Attackers could abuse this to inject arbitrary scripts to be executed on the computer, or view the documents and information being transmitted.
Product Description
The CGM MEDICO hospital information system (KIS) is used to manage hospitals and their patients, having access to sensitive patient data.
Analysis
The MEDICO clients connect to the classic application servers e.g. via port 5102/TCP. Since the traffic is not encrypted by default, machine-in-the-middle attacks on the local network could see and modify the clear text data during transmission.
The transferred data includes Visual Basic scripts (VBS), PDF files and other data. Test patient data is transferred as well, but no real patient data was seen during the investigation. Nevertheless, the transferred VBS scripts are executed on the client side, meaning that attackers could gain full access to patients’ data and any other information on the computer by supplanting the scripts with their own code.
Fix or Workaround
It is recommended to use version 29.01.02.01 or newer by installing the patch from the vendor. If this is not possible, an STUNNEL, VPN, or SSH tunnel could be used to secure the connection.
Timeline
2023-11-29 Issue identified during a penetration test.
2024-02-01 Hospital contacted vendor regarding the issue.
2024-02-02 Vendor replied with first feedback.
2024-05-14 Hospital discussed with X41 the vendor’s suggested workaround of piping classic application server connections through SSH by using PuTTY.
2024-05-17 X41 contacted BSI because classic server connections do not seem to be encrypted.
2024-10-24 Meeting with the vendor, BSI and X41
2025-06-04 Meeting with the vendor, BSI and X41
2025-07-30 Meeting with the vendor and X41
2025-08-13 Meeting with the vendor and X41, CVE likely requested by vendor
2025-09-03 Vendor released patch, advisory published
About X41 D-SEC GmbH
X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41.