Mitigation Plan for Infusion System Hole

Wednesday, July 22, 2015 @ 11:07 AM gHale

There is a vulnerability in Hospira’s Symbiq Infusion System, which could end up exploited to remotely control the device, in conjunction with previously identified vulnerabilities, according to a report from ICS-CERT.

Hospira verified the vulnerability only exists in the Symbiq Infusion System and the company provided compensating measures to help mitigate risks associated with the vulnerability. As previously announced by Hospira in 2013, the Symbiq Infusion System ended up May 31, this year and the company will fully remove it from the market by December.

Eaton Fixes Power System Hole
Siemens Fixes Authentication Bypass Hole
Siemens Fixes XSS Vulnerability
PACTware Fixes Exceptional Conditions Hole

Independent researcher Billy Rios identified the vulnerability and Kyle Kamke of Ramparts LLC assisted in the development of the proof-of-exploit.

Symbiq Infusion System, Version 3.13 and prior versions suffer from the issue.

Successful exploitation of this vulnerability, in conjunction with previously reported vulnerabilities, could allow an attacker to remotely control the operation of the device, potentially impacting prescribed therapy and patient safety.

Hospira is a U.S.-based company that maintains offices in several countries around the world.

The affected product, the Symbiq Infusion System, is an intravenous pump that delivers medication to patients. The affected product sees action across the healthcare and public health sectors. The Symbiq Infusion System sees use only in the U.S. and Canada.

With remote access and elevated privileges, the Symbiq Infusion System can remotely perform unanticipated operations.

CVE-2015-3965 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

No known public exploits specifically target this vulnerability. An attacker with medium skill would be able to exploit this vulnerability.

Asset owners should perform a risk assessment by examining their specific clinical use of the affected product in the host environment. In addition, asset owners should evaluate implementing the following defensive measures to protect against this and other risks:
• Disconnect the affected product from the network. Disconnecting the affected product from the network will have operational impacts. Disconnecting the device will require drug libraries to update manually. Manual updates to each pump can be labor intensive and prone to entry error.
• Ensure unused ports close off, including Port 20/FTP and Port 23/TELNET.
• Hospira recommends healthcare providers contact Hospira’s technical support to change the default password used to access Port 8443 or to close Port 8443. Contact Hospira’s technical support at 800-241-4002. Hospira is working directly with Symbiq customers to update the configuration of the pump to close access ports.
• Monitor and log all network traffic attempting to reach the affected product via Port 20/FTP, Port 23/TELNET and Port 8443.
• Use good design practices that include network segmentation. Use DMZs with properly configured firewalls to selectively control traffic and monitor traffic passed between zones and systems to identify anomalous activity. Use the static nature of these isolated environments to look for anomalous activities.
• Maintain layered physical and logical security to implement defense-in-depth security practices for environments operating medical devices.
• Isolate all medical devices from the Internet and untrusted systems.