Healthcare Control System Fix Update

Monday, June 15, 2015 @ 03:06 PM gHale


There is now an update to the Hospira LifeCare PCA Infusion System vulnerabilities, according to a report on ICS-CERT.

Independent researcher Billy Rios identified vulnerabilities in Hospira’s LifeCare PCA Infusion System, which ICS-CERT has been coordinating with Hospira since May 2014. Kyle Kamke of Ramparts, LLC independently identified an uncontrolled resource consumption vulnerability in Hospira’s Symbiq Infusion System. Hospira has not validated this vulnerability exists on the LifeCare PCA System.

ICS-CERT has become aware of publicly disclosed vulnerabilities in the LifeCare Infusion System, which Hospira validated. ICS-CERT reported these additional vulnerabilities identified by “tech” to provide notice, so asset owners and operators can take additional defensive measures to mitigate risks associated with these vulnerabilities.

RELATED STORIES
RLE HMI Vulnerability
N-Tron Encryption Key Vulnerability
Sinapsi Fixes eSolar Light Hole
XZERES Fixes Wind Turbine Hole

Hospira has developed a new version of the LifeCare PCA Infusion System and said the new version will mitigate these vulnerabilities. Hospira has submitted a premarket 510(k) submission of the new LifeCare PCA Infusion System to the U.S. Food and Drug Administration (FDA), and this submission is currently under review. The release of the new system will be dependent on the clearance of Hospira’s 510(k).

These vulnerabilities are remotely exploitable and attacks that target some of these vulnerabilities are publicly available.

LifeCare PCA Infusion System, Version 5.0 and prior versions suffer from the issues.

Successful exploitation of these vulnerabilities, in a worst case scenario, may allow an attacker to impact the core functions of the device.

Hospira is a U.S.-based company that maintains offices in several countries around the world.

The affected product, the LifeCare PCA Infusion System, is an intravenous pump that delivers medication to patients. The affected products see action across the healthcare and public health sector. Hospira estimates these products see use primarily in the U.S. and Canada.

The researcher has evaluated the device and asserts the device contains a buffer overflow vulnerability that could end up exploited to allow execution of arbitrary code on the device. Hospira has not validated this vulnerability. However, acting out of an abundance of caution, ICS-CERT is including this information to enhance healthcare providers’ awareness, so users can apply additional monitoring and controls.

CVE-2015-3955 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.6.

The LifeCare PCA Infusion pump’s communication module gives unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user may be able to issue commands to modify the wireless configuration of the pump.

CVE-2015-3459 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

The LifeCare PCA Infusion pump could have drug libraries, software updates, and configuration changes uploaded to it from an unauthorized source. The LifeCare PCA Infusion pump listens on the following ports: Port 20/FTP, Port 23/TELNET, Port 80/HTTP, Port 443/HTTPS, and Port 5000/UPNP.

CVE-2014-5406 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.6.

Hardcoded accounts may end up used to access the device.

CVE-2015-1011 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

Wireless keys end up stored in plain text on Version 5 of the LifeCare PCA Infusion System. According to Hospira, Version 3 of the LifeCare PCA Infusion System is not for wireless use, and not shipped with wireless capabilities. It should not end up modified for wireless use in a clinical setting.

CVE-2015-1012 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.4.

Private keys and certificates end up stored on the device.

CVE-2015-3957 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.6.

The web server is reportedly running vulnerable versions of AppWeb, to include Version 1.0.2, which contain numerous vulnerabilities. This vulnerability impacts LifeCare PCA Infusion Systems Version 5, prior to Version 5.07. According to Hospira, Version 3 of the LifeCare PCA Infusion System does not have wireless capability and, therefore, does not use the vulnerable versions of AppWeb.

The device is susceptible to a denial of service condition as a result of an overflow of TCP packets, which requires the device to end up manually rebooted. Hospira has not validated this vulnerability, however, acting out of an abundance of caution, ICS-CERT is including this information to enhance healthcare providers’ awareness, so users can apply additional monitoring and controls.

CVE-2015-3958 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

All but one of these vulnerabilities is remotely exploitable. Exploits that target some of these vulnerabilities are publicly available.

An attacker with low skill would be able to exploit all but two of these vulnerabilities; the remaining vulnerabilities would require high skill to exploit.

ICS-CERT has been working with Hospira since May 2014 to address the vulnerabilities in the LifeCare PCA Infusion System. Hospira has developed a new version of the PCS Infusion System, Version 7.0 that addresses the identified vulnerabilities. According to Hospira, Version 7.0 has Port 20/FTP and Port 23/TELNET closed by default to prevent unauthorized access.

Hospira has developed a new version of the LifeCare PCA Infusion System and has stated this new version will mitigate these vulnerabilities. Specifically, the new version will:
• Mitigate unauthorized remote access to the device
• Disable the ability for unauthorized changes to the medication library
• Remove hard-coded passwords to gain access to the device
• Encrypt storage of wireless network keys
• Ensure that the vulnerable versions of AppWeb no longer end up used

Users can upgrade existing PCA Infusion Systems running Version 5.0 to Version 7.0 when it becomes available. Hospira will be retiring older versions of the LifeCare PCA Infusion System, Versions 2 and Versions 3, by the end of the year, 2015.

Hospira’s premarket 510(k) submission for the new LifeCare PCA Infusion System (Version 7.0) is currently under review by the FDA. The release of the new system will be dependent on the clearance of Hospira’s 510(k).