Healthcare Control System Holes Filled

Thursday, May 7, 2015 @ 04:05 PM gHale


While it may not affect the industrial sector, a control system has vulnerabilities in the health care industry that is worth noting.

Hospira developed a new version that mitigates an improper authorization vulnerability and an insufficient verification of data authenticity vulnerability in its LifeCare PCA Infusion System, according to a report on ICS-CERT.

RELATED STORIES
OPTO 22 Clears Two Vulnerabilities
Moxa Fixes Buffer Overflow Hole
Schneider Mitigates VAMPSET Hole
Ecava Patches IntegraXor DLL Holes

Independent researcher Billy Rios discovered the remotely exploitable vulnerabilities which ICS-CERT has been coordinating with Hospira since May 2014. The advisory went out to provide notice of public disclosures of the identified vulnerabilities in the LifeCare PCA Infusion System.

The fix is undergoing U.S. Food and Drug Administration (FDA) review and a release date for the new version is not yet available.

LifeCare PCA Infusion System, Version 5.0 and prior versions suffer from the issue.

Exploitation of the improper authorization vulnerability may allow unauthenticated users to access the LifeCare PCA Infusion pump with root privileges by default. Exploitation of the insufficient verification of data authenticity vulnerability may allow an attacker to remotely push unauthorized modifications to the LifeCare PCA Infusion pump impacting medication libraries and pump configuration. While drug libraries, software updates, and pump configurations can end up modified, according to Hospira, it is not possible to remotely operate the LifeCare PCA Infusion pump.

Operation of the LifeCare PCA Infusion pump requires a clinician to be present at the pump to manually program the pump with a specified dosage before medication can end up administered.

Hospira is a U.S.-based company that maintains offices in several countries around the world.

The affected product, the LifeCare PCA Infusion System, is an intravenous pump that delivers medication to patients. The affected products deployed across the Healthcare and Public Health Sector. Hospira estimates these products see use worldwide.

The LifeCare PCA Infusion pump’s communication module gives unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user may be able to issue commands to modify the configuration of the pump.

CVE-2015-3459 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

The LifeCare PCA Infusion pump could have drug libraries, software updates, and configuration changes uploaded to it from an unauthorized source. The LifeCare PCA Infusion pump listens on the following ports: Port 23/TELNET, Port 80/HTTP, Port 443/HTTPS, and Port 5000/UPNP.

CVE-2014-5406 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.6.

No known public exploits specifically target these vulnerabilities. An attacker with low skill would be able to exploit one of these vulnerabilities; the other vulnerability would require high skill to exploit.

ICS-CERT has been working with Hospira since May 2014 to address the vulnerabilities in the LifeCare PCA Infusion System. Hospira has developed a new version of the PCS Infusion System, Version 7.0 that addresses the identified vulnerabilities. According to Hospira, Version 7.0 has Port 20/FTP and Port 23/TELNET closed by default to prevent unauthorized access.

Existing PCA Infusion Systems running Version 5.0 can end up upgraded to Version 7.0 when it becomes available. Hospira’s Version 7.0 is undergoing review by the FDA prior to its release. The release date for Version 7.0 of the LifeCare PCA Infusion System has not been determined.



Leave a Reply

You must be logged in to post a comment.