Smiths-Medical created new versions to mitigate two vulnerabilities in its CADD-Solis Medication Safety Software, according to a report with ICS-CERT.
Smiths-Medical reports that an independent security expert has tested the new versions to validate they resolved the identified vulnerabilities. Andrew Gothard of Newcastle Upon Tyne Hospitals NHS Foundations Trust discovered the remotely exploitable issues.
The following CADD-Solis Medication Safety Software versions suffer from the vulnerabilities:
• Smiths-Medical CADD-Solis Medication Safety Software, Version 1.0
• Smiths-Medical CADD-Solis Medication Safety Software, Version 2.0
• Smiths-Medical CADD-Solis Medication Safety Software, Version 3.0
• Smiths-Medical CADD-Solis Medication Safety Software, Version 3.1
Successful exploitation of these vulnerabilities may allow an authenticated user to add users, delete users, and to modify permissions via the CADD-Solis Medication Safety Software.
Drug libraries can also end up modified in the CADD-Solis Medication Safety Software. However, to update the drug libraries on a pump, a laptop with the CADD-Solis Medication Safety Software would have to be physically plugged into one of two different types of pumps, the CADD-Prizm System and the CADD-Solis Ambulatory Infusion Pump.
Smiths-Medical is headquartered in Plymouth, MN, and is a subsidiary of Smiths Group plc, which is a UK-based company.
The affected product, the CADD-Solis Medication Safety Software, is an application used to set dosage limits for infusion pumps. The CADD-Solis Medication Safety Software can interface with the CADD-Prizm System and the CADD-Solis Ambulatory Infusion Pump, which see action across the healthcare and public health sector. Smiths-Medical said this product sees use on a global basis.
In one vulnerability, the CADD-Solis Medication Safety Software grants an authenticated user elevated privileges on the SQL database, which would allow an authenticated user to modify drug libraries, add and delete users, and change user permissions. According to Smiths-Medical, physical access to the pump would be mandatory to install drug library updates.
CVE-2016-8355 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.9.
In addition, the affected software does not verify the identities at communication endpoints, which may allow a remote attacker to gain access to the communication channel between endpoints.
CVE-2016-8358 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.5.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill would be able to exploit these vulnerabilities.
Smiths-Medical has released new versions of the CADD-Solis Medication Safety Software, which mitigates the identified vulnerabilities. The new versions of Smiths-Medical’s CADD-Solis Medication Safety Software are Version 3.2, distributed within the continental U.S., and Version 4.1, released outside the continental U.S.
Smiths-Medical recommends CADD-Solis Medication Safety Software users install the applicable new version. In addition, Smiths-Medical also recommends users take the following additional measures:
1. Apply strict password standards across systems to include, requiring the use of upper case, lower case, special characters, and a minimum password length of 8 characters
2. Establish and effectively manage an Active directory
3. Create an SQL Express database account with managed permissions for use with the CADD-Solis Medication Safety Software
4. Establish and assign managed Services Accounts for all servers and medical infusion pumps
5. Use Virtual Local Area Network (VLAN) tagging
6. Implement server hardening procedures for both SQL and Windows servers
For additional information about the identified vulnerabilities or to obtain the new version of the CADD-Solis Medication Safety Software, contact Smiths-Medical Technical Support at:
Telephone: (800) 258 5361 or +01 614 210 7300.
Or send an email.