Chemical Safety Incidents
Pump Infusion System Holes Mended
Wednesday, September 30, 2015 @ 11:09 AM gHale
Baxter released a new version of the SIGMA Spectrum Infusion System, Version 8 that incorporates hardware and software changes that fix three of the four vulnerabilities in its SIGMA Spectrum Infusion System, according to a report on ICS-CERT.
SIGMA Spectrum Infusion System, Version 6.05 (model 35700BAX) with wireless battery module (WBM), Version 16 suffers from the vulnerability, discovered by researcher Jared Bird with Allina IS Security. The WBM is a stand-alone component that provides network connectivity to the pump. Three of the four vulnerabilities are remotely exploitable.
Successful exploitation of these vulnerabilities may allow a remote attacker to make unauthorized configuration changes to the WBM and gain information about the host network such as wireless account credentials.
According to Baxter, it is not possible to change infusion parameters using the identified vulnerabilities. In addition, the SIGMA Spectrum Infusion Pump does not contain any personally identifiable information or patient health information.
Baxter is a U.S.-based company that maintains offices worldwide, including the UK, Italy, India, Germany, France, China, and Australia.
The affected product, the SIGMA Spectrum Infusion System, is an intravenous pump that delivers medication to patients. According to Baxter, SIGMA Spectrum Infusion Systems deploy across the healthcare and public health sector. Baxter estimates these products see use in the U.S. and Canada.
Baxter’s SIGMA Spectrum infusion pumps contain a hard-coded password, which provides access to basic biomedical information, limited device settings, and network configuration of the WBM, if connected. The hard-coded password may allow an attacker with physical access to the device to access management functions to make unauthorized configuration changes to biomedical settings such as turn on and off wireless connections and the phase-complete audible alarm that indicates the end of an infusion phase.
CVE-2014-5431 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.6.
The WBM is remotely accessible via Port 22/SSH without authentication. A remote attacker may be able to make unauthorized configuration changes to the WBM, as well as issue commands to access account credentials and shared keys. Baxter said this vulnerability only allows access to features and functionality on the WBM and the SIGMA Spectrum infusion pump cannot end up controlled from the WBM.
CVE-2014-5432 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.
An unauthenticated remote attacker may be able to execute commands to view wireless account credentials stored in cleartext on the WBM, which may allow an attacker to gain access the host network.
CVE-2014-5433 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.0.
The WBM has a default account with hard-coded credentials used with the FTP protocol. Baxter asserts no files can transfer to or from the WBM using this account.
CVE-2014-5434 is the case number assigned to this vulnerability, which Baxter assigned a CVSS v2 base score of 5.0.
Three of the four vulnerabilities are remotely exploitable, however, attacking the hard-coded password vulnerability requires local access.
No known public exploits specifically target these vulnerabilities. An attacker with a low skill level would be able to exploit these vulnerabilities.
Baxter offers the following recommendations to help mitigate risks associated with these vulnerabilities in the SIGMA Spectrum Infusion System running Version 6.05 with WBM Version 16:
• Ensure the WI-FI network supporting WBMs uses a secure WI-FI protocol.
• Separate the network supporting the WBMs with a standalone VLAN or use similarly segmented network topography to isolate WBMs. This would require an attacker to compromise the standalone WI-FI network or otherwise gain access to the supporting VLAN before SSH access to the WBM is possible.
• Configure Wireless Access Points and Firewalls, which provide access to the VLAN, to block Port 21/FTP and Port 22/SSH.
• Ensure network authentication credentials used by the WBM to connect to the network end up properly restricted to only allow access to the wireless network.
• As a last resort, customers may disable wireless operation of the pump. The Sigma Spectrum Infusion System can operate without network access. This action would impact an organization’s ability to rapidly deploy drug library (formulary) updates to their pumps.
Baxter said it implemented a process to continually evaluate cyber security risks and has defined a roadmap to mitigate vulnerabilities.
Baxter released a new version of the SIGMA Spectrum Infusion System, Version 8, which incorporates hardware and software changes that do not contain three of the four identified vulnerabilities. In Version 8, Baxter addressed the authentication bypass issue by removing the SSH service from the WBM. The new version addresses the clear text storage of sensitive information through modifications to the commands used to expose network and WI-FI credentials on the WBM; security key information ended up masked or otherwise removed from command outputs. Furthermore, the path to gain access to these commands closed, as the SSH service ended up removed.
Also in Version 8, Baxter addressed the FTP hard-coded password vulnerability by removing the FTP service from the WBM. Baxter engaged an independent security expert to confirm Version 8 does not contain the three remotely exploitable vulnerabilities.
Baxter performed a cyber security risk analysis and has evaluated the potential impact of the hard-coded password to access the device as being low. Baxter plans to address this in a future release. Baxter recommends facilities employ physical security controls to ensure the safety of the pump and WBM.
For additional information about the vulnerabilities, compensating measures, or the new version of the SIGMA Spectrum Infusion System, contact Baxter Technical Support via email.