CVE-2021-37165
published 2021-08-02CVE-2021-37165: A buffer overflow issue was discovered in HMI3 Control Panel in Swisslog Healthcare Nexus Panel operated by released versions of software before Nexus Software…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.26%
86.8th percentile
A buffer overflow issue was discovered in HMI3 Control Panel in Swisslog Healthcare Nexus Panel operated by released versions of software before Nexus Software 7.2.5.7. When a message is sent to the HMI TCP socket, it is forwarded to the hmiProcessMsg function through the pendingQ, and may lead to remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| swisslog-healthcare | hmi-3_control_panel_firmware | < 7.2.5.7 | 7.2.5.7 |
Detection & IOCsextracted from sources · hover to see the quote
port12345/udp
urlwww.armis.com/pwnedPiper
bytes
TLPU (hex: 54 4C 50 55) at start of packet
bytes
00 00 00 01 at offset 4 within 4 bytes
snort
alert udp any any -> $HOME_NET 12345 (msg:"ET EXPLOIT [PwnedPiper] Exploitation Attempt - Small Malformed Translogic Packet (Multiple CVEs)"; dsize:<21; content:"TLPU"; startswith; fast_pattern; content:"|00 00 00 01|"; distance:4; within:4; reference:url,www.armis.com/pwnedPiper; reference:cve,2021-37162; reference:cve,2021-37165; reference:cve,2021-37161; classtype:attempted-admin; sid:2033661; rev:1; metadata:attack_target Server, created_at 2021_08_03, cve CVE_2021_37162, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Exploit traffic targets UDP port 12345 on internal/perimeter hosts (Translogic/Nexus HMI TCP socket). Flag UDP datagrams to this port with packet size less than 21 bytes bearing the 'TLPU' magic header.
- →The buffer overflow is triggered via a message sent to the HMI TCP socket, forwarded to hmiProcessMsg through the pendingQ. Monitor for anomalous or oversized messages on the HMI TCP socket that reach the hmiProcessMsg handler. ↗
- →This CVE is part of the PwnedPiper vulnerability cluster (alongside CVE-2021-37161, CVE-2021-37162). Correlate detections across all three CVEs on Swisslog Healthcare Nexus Panel devices.
- ·Vulnerable only on Swisslog Healthcare Nexus Panel devices running Nexus Software versions prior to 7.2.5.7. Ensure $HOME_NET in the Snort/Suricata rule is scoped to segments hosting these devices to reduce false positives. ↗
- ·The Snort rule (sid:2033661) uses a dsize:<21 constraint — legitimate Translogic packets starting with 'TLPU' that are 21 bytes or larger will NOT match. Tune accordingly if protocol inspection reveals valid short packets.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT [PwnedPiper] Exploitation Attempt - Small Malformed Translogic Packet (Multiple CVEs)
suricata·2021-08-03
CVE-2021-37162 ET EXPLOIT [PwnedPiper] Exploitation Attempt - Small Malformed Translogic Packet (Multiple CVEs)
ET EXPLOIT [PwnedPiper] Exploitation Attempt - Small Malformed Translogic Packet (Multiple CVEs)
Rule: alert udp any any -> $HOME_NET 12345 (msg:"ET EXPLOIT [PwnedPiper] Exploitation Attempt - Small Malformed Translogic Packet (Multiple CVEs)"; dsize:<21; content:"TLPU"; startswith; fast_pattern; content:"|00 00 00 01|"; distance:4; within:4; reference:url,www.armis.com/pwnedPiper; reference:cve,2021-37162; reference:cve,2021-37165; reference:cve,2021-37161; classtype:attempted-admin; sid:2033661; rev:1; metadata:attack_target Server, created_at 2021_08_03, cve CVE_2021_37162, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_tec
No public exploits indexed.
No writeups or analysis indexed.
https://www.armis.com/PwnedPiperhttps://www.swisslog-healthcare.comhttps://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37165-bulletin---overflow-in-hmiprocessmsg.pdf?rev=2e2678dab62b41ba999cd6d1e03974ca&hash=F465ACE2C7FAED826B52FE996E36ACEChttps://www.swisslog-healthcare.com/en-us/customer-care/security-information/cve-disclosures#:~:text=CVE%20Disclosures%20%20%20%20Vulnerability%20Name%20%2C%20%20CVE-2021-37164%20%204%20more%20rows%20https://www.armis.com/PwnedPiperhttps://www.swisslog-healthcare.comhttps://www.swisslog-healthcare.com/-/media/swisslog-healthcare/documents/customer-service/armis-documents/cve-2021-37165-bulletin---overflow-in-hmiprocessmsg.pdf?rev=2e2678dab62b41ba999cd6d1e03974ca&hash=F465ACE2C7FAED826B52FE996E36ACEChttps://www.swisslog-healthcare.com/en-us/customer-care/security-information/cve-disclosures#:~:text=CVE%20Disclosures%20%20%20%20Vulnerability%20Name%20%2C%20%20CVE-2021-37164%20%204%20more%20rows%20
2021-08-02
Published