• »
  • Latest Threats
  • Desktop
  • Server
  • critical Severity (Can fully compromise system)

Hospira Drug Infusion Pump multiple vulnerabilities including no auth required for root over TELNET

critical Severity            Affects:
Hospira LifeCare PCA Infusion System before 7.0

Independent security researcher, Billy Rios has disclosed several critical vulnerabilities in the Hospira LifeCare PCA3 and PCA5 drug infusion systems, which could give malicious users the ability to remotely over-dose or under-dose a patient.

The vulnerabilities are as follows:

TACK-BASED BUFFER OVERFLOW

The researcher has evaluated the device and asserts that the device contains a buffer overflow vulnerability that could be exploited to allow execution of arbitrary code on the device. This vulnerability has not been validated by Hospira; however, acting out of an abundance of caution, ICS-CERT is including this information to enhance healthcare providers’ awareness, so that additional monitoring and controls can be applied.

CVE-2015-3955 has been assigned to this vulnerability. A CVSS v2 base score of 7.6 has been assigned; the CVSS vector string is (AV:N/AC:H/Au:N/C:C/I:C/A:C).


IMPROPER AUTHORIZATION

The LifeCare PCA Infusion pump’s communication module gives unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user may be able to issue commands to modify the wireless configuration of the pump.

CVE-2015-3459e has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C).


INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY

The LifeCare PCA Infusion pump could have drug libraries, software updates, and configuration changes uploaded to it from an unauthorized source. The LifeCare PCA Infusion pump listens on the following ports: Port 20/FTP, Port 23/TELNET, Port 80/HTTP, Port 443/HTTPS, and Port 5000/UPNP.

CVE-2014-5406 has been assigned to this vulnerability. A CVSS v2 base score of 7.6 has been assigned; the CVSS vector string is (AV:N/AC:H/Au:N/C:C/I:C/A:C).


USE OF HARDCODED PASSWORD

Hardcoded accounts may be used to access the device.

CVE-2015-1011 has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C).


CLEARTEXT STORAGE OF SENSITIVE INFORMATION

Wireless keys are stored in plain text on Version 5 of the LifeCare PCA Infusion System. According to Hospira, Version 3 of the LifeCare PCA Infusion System is not indicated for wireless use, is not shipped with wireless capabilities, and should not be modified to be used in a wireless capacity in a clinical setting.

CVE-2015-1012 has been assigned to this vulnerability. A CVSS v2 base score of 6.4 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:P/I:P/A:N).


KEY MANAGEMENT ERRORS

Private keys and certificates are stored on the device.

CVE-2015-3957 has been assigned to this vulnerability. A CVSS v2 base score of 4.6 has been assigned; the CVSS vector string is (AV:L/AC:L/Au:N/C:P/I:P/A:P).


VULNERABLE SOFTWARE VERSION USED

The web server is reportedly running vulnerable versions of AppWeb, to include Version 1.0.2, which contain numerous vulnerabilities. This vulnerability impacts LifeCare PCA Infusion Systems Version 5, prior to Version 5.07. According to Hospira, Version 3 of the LifeCare PCA Infusion System does not have wireless capability and, therefore, does not use the vulnerable versions of AppWeb.


UNCONTROLLED RESOURCE CONSUMPTION

The device is susceptible to a denial of service condition as a result of an overflow of TCP packets, which requires the device to be manually rebooted. This vulnerability has not been validated by Hospira; however, acting out of an abundance of caution, ICS-CERT is including this information to enhance healthcare providers’ awareness, so that additional monitoring and controls can be applied.

CVE-2015-3958 has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).


Sources:

http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm
https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01B

RECOMMENDATION

ICS-CERT Recommendations:

ICS-CERT has been working with Hospira since May 2014 to address the vulnerabilities in the LifeCare PCA Infusion System. Hospira has developed a new version of the PCS Infusion System, Version 7.0 that addresses the identified vulnerabilities. According to Hospira, Version 7.0 has Port 20/FTP and Port 23/TELNET closed by default to prevent unauthorized access.

Hospira has developed a new version of the LifeCare PCA Infusion System and has stated that this new version will mitigate these vulnerabilities. Specifically, the new version is intended to:

-Mitigate unauthorized remote access to the device,

-Disable the ability for unauthorized changes to the medication library,

-Remove hard-coded passwords to gain access to the device,

-Encrypt storage of wireless network keys, and

-Ensure that the vulnerable versions of AppWeb are no longer used.

Existing PCA Infusion Systems running Version 5.0 can be upgraded to Version 7.0 when it becomes available. Hospira will be retiring older versions of the LifeCare PCA Infusion System, Versions 2 and Versions 3, by the end of the year, 2015.

Hospira’s premarket 510(k) submission for the new LifeCare PCA Infusion System (Version 7.0) is currently being reviewed by the FDA. The release of the new system will be dependent on the clearance of Hospira’s 510(k).

For additional information about Hospira’s upcoming release, contact Hospira’s technical support at 1-800-241-4002.


ICS-CERT strongly encourages asset owners to perform a risk assessment by examining their specific clinical use of the LifeCare PCA Infusion System in their host environment to identify any potential impacts of the identified vulnerabilities. ICS-CERT offers the following compensating options:

-Temporarily disconnect the affected LifeCare PCA Infusion System from the wireless network until unused ports on the device are closed, to include Port 20/FTP and Port 23/TELNET. Once the unused ports have been closed, reconnecting the affected device to the wireless network should be done after ensuring that the host network is isolated from the Internet. The affected LifeCare PCA Infusion Systems should be isolated from untrusted systems; traffic to the device should be selectively controlled and monitored for anomalous activity.

-Disconnect the affected LifeCare PCA Infusion System from the wireless network and use a wired connection to the host network. The operational concerns associated with this option are primarily associated with the initial setup of the wired connection and verifying that the host network effectively implements good design practices prior to connection of the LifeCare PCA Infusion System.

-If neither of the previous two options are feasible, then disconnect the affected LifeCare PCA Infusion System from the wireless network until mitigations are available. Disconnecting the affected device from the wireless network will have operational impacts. Disconnecting the device will require drug libraries to be updated manually and data normally transmitted to MedNet from the device, will not be available. Manual updates to each pump can be labor intensive and prone to entry error.


ICS-CERT encourages asset owners to implement the following defensive measures to protect against this and other cybersecurity risks. Specifically, users should:

-Ensure that unused ports are closed, to include Port 20/FTP and Port 23/TELNET.

-Hospira strongly recommends that healthcare providers change the default password used to access Port 8443.

-Monitor and log all network traffic attempting to reach the affected product via Port 20/FTP, Port 23/TELNET and Port 8443.

Maintain layered physical and logical security to implement defense-in-depth security practices for environments operating medical devices.

Isolate the LifeCare PCA Infusion pump from the Internet and untrusted systems.

Produce an MD5 checksum of key files to identify any unauthorized changes.

Use good design practices that include network segmentation. Use DMZs with properly configured firewalls to selectively control traffic and monitor traffic passed between zones and systems to identify anomalous activity. Use the static nature of these isolated environments to look for anomalous activities.


FDA Recommendations:
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm

Health care facilities can reduce the risk of unauthorized access by implementing the recommendations below:

-Follow the recommendations from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the U.S. Department of Homeland in the May 13, 2015 Advisory Hospira LifeCare PCA Infusion System Vulnerabilities (Update A). These recommendations include the following:

-Close Port 20/FTP and Port 23/TELNET and any other unused ports on your LifeCare PCA3 and PCA5 Infusion Pump Systems.

-Isolate the LifeCare PCA Infusion Pump System from your Internet and untrusted systems. If you must connect to a host network, ensure that the host network is isolated from the Internet.

-Use interrogation techniques, such as an MD5 checksum of key files, to identify if there have been any unauthorized changes to your LifeCare PCA Infusion Pump System.

-Maintain layered physical and logical security practices for environments operating medical devices.

-Use good design practices that include network segmentation. Use properly configured firewalls to selectively control and monitor traffic passed among the systems within your organization.

-Perform a risk assessment by examining the specific clinical use of the Hospira LifeCare PCA Infusion Pump System in your organization’s environment to identify any potential impacts of the identified vulnerabilities. Use this risk assessment to help determine whether to maintain wireless connectivity between the Hospira LifeCare PCA Infusion Pump System and an isolated portion of your network, establish hard-wired connection between the system and your network, or to remove the system from the network.

CAUTION: Disconnecting the device will require drug libraries to be updated manually and data that is normally transmitted to MedNet from the device will not be available. Manual updates on each pump can be labor intensive and prone to entry error. If you adjust the drug-delivery settings on your Hopira LifeCare PCA Infusion Pump System manually, the FDA recommends that you verify the settings prior to starting an infusion.

-Look for and follow risk mitigation strategies outlined in an upcoming letter from Hospira to its customers. Customers can access the instructions and other risk mitigation measures via Hospira’s Advanced Knowledge Center.


Follow the good cybersecurity hygiene practices outlined in the FDA Safety Communication Cybersecurity for Medical Devices and Hospital Networks, posted in June 2013, including:

-Restricting unauthorized access to the network and networked medical devices.

-Making certain appropriate antivirus software and firewalls are up-to-date.

-Monitoring network activity for unauthorized use.

-Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.

-Contacting the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.

-Developing and evaluating strategies to maintain critical functionality during adverse conditions.