More Holes Filled in Healthcare System

Thursday, May 14, 2015 @ 04:05 PM gHale


There are additional publicly disclosed vulnerabilities in the Hospira LifeCare Infusion System, which have been validated by Hospira, according to a report on ICS-CERT.

ICS-CERT listed the additional vulnerabilities identified by the researcher named “tech” to provide notice so users can take additional defensive measures to mitigate risks associated with these vulnerabilities.

RELATED STORIES
OSIsoft Fixes Permissions Hole
Rockwell Patches RSLinx Classic Bug
Healthcare Control System Holes Filled
OPTO 22 Clears Two Vulnerabilities

Previously, independent researcher Billy Rios found an improper authorization vulnerability and an insufficient verification of data authenticity vulnerability in Hospira’s LifeCare PCA Infusion System, which ICS-CERT has been coordinating with Hospira since May 2014.

Hospira developed a new version of the LifeCare PCA Infusion System and said this new version will mitigate these vulnerabilities. Hospira has submitted a premarket 510(k) submission of the new LifeCare PCA Infusion System to the U.S. Food and Drug Administration (FDA), and this submission is currently under review. The release of the new system will be dependent on the clearance of Hospira’s 510(k).

These vulnerabilities are remotely exploitable. There are some publicly available exploits that target some of these vulnerabilities.

Hospira’s LifeCare PCA Infusion System, Version 5.0 and prior versions suffer from the issues.

Exploitation of the improper authorization vulnerability may allow unauthenticated users to access the LifeCare PCA Infusion pump with root privileges by default. Exploitation of the insufficient verification of data authenticity vulnerability may allow an attacker to remotely push unauthorized modifications to the LifeCare PCA Infusion pump impacting medication libraries and pump configuration.

Successful exploitation of newly identified hardcoded passwords, insecurely stored credentials, and vulnerable software version vulnerabilities can impact the confidentiality, integrity, and availability of the LifeCare PCA Infusion pump.

While drug libraries, software updates, and pump configurations can end up modified, according to Hospira, it is not possible to remotely operate the LifeCare PCA Infusion pump. Operation of the LifeCare PCA Infusion pump requires a clinician to be present at the pump to manually program the pump with a specified dosage before medication can be administered.

Hospira is a U.S.-based company that maintains offices in several countries around the world.

The affected product, the LifeCare PCA Infusion System, is an intravenous pump that delivers medication to patients. The affected products see action across the Healthcare and Public Health Sector. Hospira estimates these products see use in the U.S. and Canada.

The LifeCare PCA Infusion pump’s communication module gives unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user may be able to issue commands to modify the wireless configuration of the pump.

CVE-2015-3459 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

The LifeCare PCA Infusion pump could have drug libraries, software updates, and configuration changes uploaded to it from an unauthorized source. The LifeCare PCA Infusion pump listens on the following ports: Port 23/TELNET, Port 80/HTTP, Port 443/HTTPS, and Port 5000/UPNP.

CVE-2014-5406 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.6.

Hardcoded accounts may end up used to access the device.

CVE-2015-1011 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

Wireless keys end up stored in plain text on Version 5 of the LifeCare PCA Infusion System. Hospira said Version 3 of the LifeCare PCA Infusion System is not indicated for wireless use, is not shipped with wireless capabilities, and should not be modified to be used in a wireless capacity in a clinical setting.

CVE-2015-1012 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.4.

The web server is reportedly running vulnerable versions of AppWeb, to include Version 1.0.2, which contain numerous vulnerabilities. This vulnerability impacts LifeCare PCA Infusion Systems Version 5, prior to Version 5.07. According to Hospira, Version 3 of the LifeCare PCA Infusion System does not have wireless capability and, therefore, does not use the vulnerable versions of AppWeb.

An attacker with low skill would be able to exploit four of these vulnerabilities; the other vulnerability would require high skill to exploit.

ICS-CERT has been working with Hospira since May 2014 to address the vulnerabilities in the LifeCare PCA Infusion System. Hospira has developed a new version of the PCS Infusion System, Version 7.0 that addresses the identified vulnerabilities. According to Hospira, Version 7.0 has Port 20/FTP and Port 23/TELNET closed by default to prevent unauthorized access.

Hospira has developed a new version of the LifeCare PCA Infusion System and said this new version will mitigate these vulnerabilities.

Specifically, the new version will:
• Mitigate unauthorized remote access to the device
• Disable the ability for unauthorized changes to the medication library
• Remove hard-coded passwords to gain access to the device
• Encrypt storage of wireless network keys
• Ensure that the vulnerable versions of AppWeb are no longer used

Existing PCA Infusion Systems running Version 5.0 can upgrade to Version 7.0 when it becomes available. Hospira will be retiring older versions of the LifeCare PCA Infusion System, Versions 2 and Versions 3, by the end of the year, 2015.

Hospira’s premarket 510(k) submission for the new LifeCare PCA Infusion System (Version 7.0) is currently under review by the FDA. The release of the new system will be dependent on the clearance of Hospira’s 510(k).

ICS-CERT strongly encourages users to perform a risk assessment by examining their specific clinical use of the LifeCare PCA Infusion System in their host environment to identify any potential impacts of the identified vulnerabilities. ICS-CERT offers the following compensating options:
• Temporarily disconnect the affected LifeCare PCA Infusion System from the wireless network until unused ports on the device end up closed, to include Port 20/FTP and Port 23/TELNET. Once the unused ports close, reconnect the affected device to the wireless network after ensuring the host network remains isolated from the Internet. The affected LifeCare PCA Infusion Systems should end up isolated from untrusted systems; traffic to the device should end up selectively controlled and monitored for anomalous activity.
• Disconnect the affected LifeCare PCA Infusion System from the wireless network and use a wired connection to the host network. The operational concerns associated with this option primarily end up associated with the initial setup of the wired connection and verifying the host network effectively implements good design practices prior to connection of the LifeCare PCA Infusion System.
• If neither of the previous two options are feasible, then disconnect the affected LifeCare PCA Infusion System from the wireless network until mitigations are available. Disconnecting the affected device from the wireless network will have operational impacts. Disconnecting the device will require a manual update of drug libraries and data normally transmitted to MedNet from the device, will not be available. Manual updates to each pump can be labor intensive and prone to entry error.



Leave a Reply

You must be logged in to post a comment.