Hospira Multiple Products Buffer Overflow Vulnerability
ICSA： ICS Advisory (ICSA-15-337-02)
This advisory was originally posted to the US-CERT secure Portal library on December 3, 2015, and is being released to the NCCIC/ICS-CERT web site.
Jeremy Richards of SAINT Corporation has identified a buffer overflow vulnerability in Hospira’s LifeCare PCA Infusion System. Hospira has determined that LifeCare PCA Infusion Systems released prior to July 2009 that are running Communication Engine (CE) Version 1.0 or earlier are vulnerable. In response to Jeremy Richards’ reported vulnerability, Hospira has assessed other products and determined that Plum A+/A+3 Infusion Systems, released prior to March 2009 and running CE Version 1.0 or earlier versions, also contain the identified vulnerability. Hospira has confirmed that LifeCare PCA and Plum A+/A+3 Infusion Systems, running CE Version 1.2 or later versions, sold after the aforementioned dates, are not vulnerable.
This vulnerability could be exploited remotely.
The following product configurations are affected:
- LifeCare PCA Infusion System, Version 5.07 running CE Version 1.0 or earlier, released prior to July 2009;
- Plum A+ Infusion System, Version 13.40 running CE Version 1.0 or earlier, released prior to March 2009; and
- Plum A+3 Infusion System, Version 13.40 running CE Version 1.0 or earlier, released prior to March 2009.
Successful exploitation of the buffer overflow vulnerability may allow an attacker to remotely execute code on the affected device. Remote code execution has not been demonstrated by Hospira or the researcher. However, acting out of an abundance of caution, ICS-CERT is including this information to enhance healthcare providers’ awareness of this potential risk, so that additional monitoring and controls can be applied.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment and specific clinical usage.
Hospira is a US-based company that maintains offices in several countries around the world.
The affected products, the LifeCare PCA Infusion System and the Plum A+/A+3 Infusion System, are intravenous pumps that deliver medication to patients. The affected products are deployed across the Healthcare and Public Health Sector. Hospira estimates that LifeCare PCA Infusion Systems are primarily used in the US and Canada. Hospira estimates that Plum A+ Infusion Systems are used worldwide.
STACK-BASED BUFFER OVERFLOWa
Hospira has confirmed that older communication engines, versions prior to CE Version 1.2, contain a remotely accessible buffer overflow vulnerability, via Port 5000/TCP. The impact is localized to a subcomponent of the device..
This vulnerability could be exploited remotely.
EXISTENCE OF EXPLOIT
No known public exploits specifically target this vulnerability.
An attacker with a low skill would be able to exploit this vulnerability.
Hospira’s LifeCare PCA Infusion System, released after July 2009 that uses CE Version 1.2 or later versions, does not contain the identified vulnerability. Hospira’s Plum A+/A+3 Infusion Systems, released after March 2009 that use CE Version 1.2 or later versions do not contain the identified vulnerability. Hospira is working with a third-party organization that has validated that the CE Version 1.2 and later versions do not contain the reported vulnerability.
Hospira recommends that customers using vulnerable versions of LifeCare PCA or Plum A+/A+3 Infusion Systems should contact Hospira’s Advanced Knowledge Center to discuss options. Contact information for Hospira’s Advanced Knowledge Center is available at the following URL:
ICS-CERT strongly encourages asset owners to perform a risk assessment by examining their specific clinical use of the affected product in their host environment to identify any potential impacts of the identified vulnerabilities. ICS-CERT also reminds organizations to perform a proper impact analysis and risk assessment prior to deploying defensive measures. ICS-CERT recommends that asset owners operating vulnerable devices should consider applying the following defensive measures:
- Ensure that unused ports are closed on the affected devices to include Port 20/FTP, Port 21/FTP, and Port 23/TELNET.
- Ensure that the default password used to access Port 8443 has been changed, or verify that the port is closed.
- Ensure that Port 5000/TCP is closed. Closing Port 5000/TCP does not impact the intended use of the device.
- Monitor and log all network traffic attempting to reach the affected products, to include Port 20/FTP, Port 21/FTP, Port 23/TELNET, Port 8443, and Port 5000/TCP.
- Isolate all medical devices from the Internet and untrusted systems.
- Produce a hash of key files to identify any unauthorized changes.
- Locate all medical devices and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
The researcher identified the buffer overflow vulnerability in a WiFi enabled LifeCare PCA 3 Infusion System. Hospira asserts that the LifeCare PCA 3 Infusion System is not indicated for wireless use, is not provided by Hospira with wireless capabilities, and should not be modified to be used in a wireless capacity in a clinical setting. Hospira is aware that there may be PCA 3 infusion pumps that have been modified by unauthorized third parties to be WiFi enabled. Any PCA 3 devices that have been altered to be WiFi enabled have not been validated by Hospira, they are not authorized by Hospira for this use, and they are not legally marketed prescription medical devices. Hospira recommends that any customer using a LifeCare PCA3 Infusion System that has been modified for wireless use should contact Hospira’s Advanced Knowledge Center.
ICS-CERT also provides a section for security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
- a. CWE-121: Stack-based Buffer Overflow, http://cwe.mitre.org/data/definitions/121.html, web site last accessed December 03, 2015.
- b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7909, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.
- c. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, web site last accessed December 03, 2015.