Independent researcher Billy Rios has identified vulnerabilities in Hospira’s Plum A+ Infusion System that are similar to vulnerabilities identified in Hospira’s LifeCare PCA Infusion System, while Kyle Kamke of Ramparts, LLC has identified an uncontrolled resource consumption vulnerability in Hospira’s Symbiq Infusion System, according to a report on ICS-CERT.
Hospira identified vulnerabilities in the Symbiq Infusion System.
ICS-CERT is reporting on these vulnerabilities to notify healthcare providers of a coordinated disclosure of vulnerability information and to provide additional defensive measures to help mitigate risks associated with these vulnerabilities. Hospira is releasing the Plum 360 Infusion System, a new version of Plum A+.
These vulnerabilities are remotely exploitable and some of these vulnerabilities are publicly available.
The following Hospira products suffer from the issues:
• Plum A+ Infusion System, Version 13.4 and prior versions
• Plum A+3 Infusion System, Version 13.6 and prior versions
• Symbiq Infusion System,a Version 3.13 and prior versions
Successful exploitation of these vulnerabilities, in a worst case scenario, may allow an attacker to impact the core functions of the device.
Hospira is a U.S.-based company that maintains offices in several countries around the world.
The affected products, the Plum A+ Infusion System (which includes Plum A+ and the Plum A+3 Infusion System), are intravenous pumps that deliver medication to patients. The affected products see use across the healthcare and public health sector. Hospira estimates these products see use worldwide.
The researcher has evaluated the device and asserts the device contains a buffer overflow vulnerability that could end up exploited to allow execution of arbitrary code on the device. Hospira has not validated this vulnerability. However, acting out of an abundance of caution, ICS-CERT is including this information to enhance healthcare providers’ awareness, so users can apply additional monitoring and controls.
CVE-2015-3955 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.6.
The communication module gives unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user could issue commands to the pump.
CVE-2015-3954 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
The device accepts drug libraries, firmware updates, pump commands, and unauthorized configuration changes from unauthenticated devices on the host network. The device listens on the following ports: Port 20/FTP, Port 23/TELNET, Port 80/HTTP, Port 443/HTTPS, and Port 5000/UPNP.
CVE-2015-3956 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.6.
Hard-coded accounts may end up used to access the device.
CVE-2015-3953 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
Wireless keys end up stored in plain text on the device.
CVE-2015-3952 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.4.
Private keys and certificates end up stored on the device.
CVE-2015-3957 is the case number assigned to this vulnerability, which has a A CVSS v2 base score of 4.6.
The web server is reportedly running vulnerable versions of AppWeb, to include Versions 1.0.2, which contain numerous vulnerabilities. The Plum A+ Infusion System, versions prior to, but not including Version 13.4 and the Plum A+3 Infusion System, versions prior to, but not including Version 13.6 suffer from the issue. The Symbiq Infusion System, versions prior to, but not including Version 3.0 also have the issue.
The device is susceptible to a denial-of-service condition as a result of an overflow of TCP packets, which requires the device to manually reboot.
CVE-2015-3958 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.
All but one of these vulnerabilities are remotely exploitable. Exploits that target some of these vulnerabilities are publicly available. An attacker with low skill would be able to exploit all but two of these vulnerabilities; the remaining vulnerabilities would require high skill to exploit.
Hospira is communicating with customers to direct them to close Port 20/FTP and Port 23/TELNET on the affected devices. In addition, Hospira is also releasing its Plum 360 Infusion System. Hospira asserts the Plum 360 uses a different architecture than the Plum A+ Infusion System and is not vulnerable to the reported vulnerabilities.