There is a buffer overflow vulnerability in Hospira’s LifeCare PCA Infusion System and released prior to July 2009 and the Plum A+/A+3 Infusion Systems released prior to March 2009 all running Communication Engine (CE) Version 1.0 or earlier, according to a report on ICS-CERT.
In response to of SAINT Corporation’s Jeremy Richards’ reported vulnerability in the LifeCare PCA Infusion Systems, Hospira assessed the Plum A+/A+3 Infusion Systems and found the remotely exploitable vulnerability.
Hospira confirmed LifeCare PCA and Plum A+/A+3 Infusion Systems, running CE Version 1.2 or later versions, sold after the aforementioned dates, are not vulnerable.
Hospira does not yet have a fix for the issue, but is requesting users to contact them to discuss a solution.
The following product configurations suffer from the issue:
• LifeCare PCA Infusion System, Version 5.07 running CE Version 1.0 or earlier, released prior to July 2009
• Plum A+ Infusion System, Version 13.40 running CE Version 1.0 or earlier, released prior to March 2009
• Plum A+3 Infusion System, Version 13.40 running CE Version 1.0 or earlier, released prior to March 2009
Successful exploitation of the buffer overflow vulnerability may allow an attacker to remotely execute code on the affected device. Neither Hospira nor Richards demonstrated a remote code execution.
Acting out of an abundance of caution, ICS-CERT released the information to enhance healthcare providers’ awareness of this potential risk, so additional monitoring and controls can end up applied.
Hospira is a U.S.-based company that maintains offices in several countries around the world.
The affected products, the LifeCare PCA Infusion System and the Plum A+/A+3 Infusion System, are intravenous pumps that deliver medication to patients. The affected products see action across the healthcare and public health sector. Hospira said LifeCare PCA Infusion Systems primarily end up used in the U.S. and Canada. Hospira estimates that Plum A+ Infusion Systems see use on a global basis.
Hospira has confirmed that older communication engines, versions prior to CE Version 1.2, contain a remotely accessible buffer overflow vulnerability, via Port 5000/TCP.
CVE-2015-7909 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
Hospira’s LifeCare PCA Infusion System, released after July 2009 that uses CE Version 1.2 or later versions, does not contain the identified vulnerability. Hospira’s Plum A+/A+3 Infusion Systems, released after March 2009 that use CE Version 1.2 or later versions do not contain the identified vulnerability. Hospira is working with a third-party organization that has validated the CE Version 1.2 and later versions do not contain the reported vulnerability.
Hospira recommends that customers using vulnerable versions of LifeCare PCA or Plum A+/A+3 Infusion Systems should contact Hospira’s Advanced Knowledge Center to discuss options. Click here for contact information for Hospira’s Advanced Knowledge Center.