Fix for Infusion Pump Issues in Jan.

Thursday, September 7, 2017 @ 04:09 PM gHale


Smiths Medical is planning to release a new product version in January to address eight vulnerabilities in its Medfusion 4000 Wireless Syringe Infusion Pump, according to a report with ICS-CERT.

In the meantime, ICS-CERT is recommending users apply the identified compensating controls until the new version can end up applied.

RELATED STORIES
Diabetes Management Software Hole Filled
SpiderControl Updates SCADA Web Server
Phoenix Contact, Innominate Update Firmware
ALC Patches XXE Vulnerability

These vulnerabilities, discovered by Independent researcher Scott Gayo, are remotely exploitable.

The following Medfusion 4000 Wireless Syringe Infusion Pump versions suffer from the vulnerabilities:
• Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1
• Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.5
• Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.6

Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.

Plymouth, MN-based Smiths Medical is a subsidiary of Smiths Group plc, which is a UK-based company.

The affected products, Medfusion 4000 Wireless Syringe Infusion Pumps, are syringe infusion pumps used to deliver small doses of medication in acute care settings. According to Smiths Medical, Medfusion 4000 Wireless Syringe Infusion Pumps see action across the healthcare and public health sector. Smiths Medical estimates these products see use on a global basis.

In one vulnerability, a third-party component used in the pump does not verify input buffer size prior to copying, leading to a buffer overflow, allowing remote code execution on the target device. The pump receives the potentially malicious input infrequently and under certain conditions, increasing the difficulty of exploitation.

CVE-2017-12718 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.

In addition, a third-party component used in the pump reads memory out of bounds, causing the communications module to crash. Smiths Medical assesses the crash of the communications module would not impact the operation of the therapeutic module.

CVE-2017-12722 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

In another issue, the pump with default network configuration uses hard-coded credentials to automatically establish a wireless network connection. The pump will establish a wireless network connection even if the pump is Ethernet connected and active; however, if the wireless association is established and the Ethernet cable is attached, the pump does not attach the network stack to the wireless network. In this scenario, all network traffic is instead directed over the wired Ethernet connection.

CVE-2017-12725 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, the FTP server on the pump does not require authentication if the pump is configured to allow FTP connections.

CVE-2017-12720 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.

Also, the FTP server on the pump contains hardcoded credentials, which are not fully initialized. The FTP server is only accessible if the pump is configured to allow FTP connections.

CVE-2017-12724 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.

In another vulnerability, Telnet on the pump uses hardcoded credentials, which can be used if the pump is configured to allow external communications. Smiths Medical assesses it is not possible to upload files via Telnet and the impact of this vulnerability is limited to the communications module.

CVE-2017-12726 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.6.

In addition, the pump does not validate host certificate, leaving the pump vulnerable to a man-in-the-middle (MITM) attack.

CVE-2017-12721 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

In addition, the pump stores some passwords in the configuration file, which are accessible if the pump is configured to allow external communications.

CVE-2017-12723 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 3.7.

No known public exploits specifically target these vulnerabilities. However, an attacker with high skill would be able to exploit these vulnerabilities.

Smiths Medical is planning to release Version 1.6.1 for the Medfusion 4000 Wireless Syringe Infusion Pump in January.

Smiths Medical recommends users apply the following defensive measures:
• Assign static IP addresses to the Medfusion 4000 Wireless Syringe Infusion Pump
• Monitor network activity for rogue DNS and DHCP servers
• Ensure network segments which the Medfusion 4000 medical infusion pumps are installed are segmented from other hospital and clinical information technology infrastructure
• Consider network micro segmentation
• Consider use of network virtual local area networks (VLANs) for the segmentation of the Medfusion 4000 medical infusion pumps
• Apply proper password hygiene standards across systems (i.e., use uppercase, lowercase, special characters, and a minimum character length of eight)
• Do not re-use passwords
• Routinely take backups and perform routine evaluations

For additional information about the vulnerabilities, proposed measures, or the release of the scheduled product fix, contact Smiths Medical Technical Support at +1 (800) 258 5361 or +01 614 210 7300 or via email.



Leave a Reply

You must be logged in to post a comment.