Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.2534
Baxter SIGMA Spectrum Infusion System Vulnerabilities
1 October 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Baxter SIGMA Spectrum Infusion System
Publisher: ICS-CERT
Operating System: Network Appliance
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-5434 CVE-2014-5433 CVE-2014-5432
CVE-2014-5431
Original Bulletin:
https://ics-cert.us-cert.gov/advisories/ICSA-15-181-01
- --------------------------BEGIN INCLUDED TEXT--------------------
Advisory (ICSA-15-181-01)
Baxter SIGMA Spectrum Infusion System Vulnerabilities
Original release date: September 29, 2015
Legal Notice
All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this
product is governed by the Traffic Light Protocol (TLP) marking in the
header. For more information about TLP, see http://www.us-cert.gov/tlp/.
OVERVIEW
This advisory was originally posted to the US-CERT secure Portal library
on June 30, 2015, and is being released to the NCCIC/ICS-CERT web site.
Researcher Jared Bird with Allina IS Security identified four vulnerabilities
in Baxter's SIGMA Spectrum Infusion System. Baxter has released a new
version of the SIGMA Spectrum Infusion System, Version 8 that incorporates
hardware and software changes, which do not contain three of the four
identified vulnerabilities.
Three of the four vulnerabilities are remotely exploitable.
AFFECTED PRODUCTS
The following SIGMA Spectrum Infusion System versions are affected:
SIGMA Spectrum Infusion System, Version 6.05 (model 35700BAX) with
wireless battery module (WBM), Version 16. The WBM is a stand-alone
component that provides network connectivity to the pump.
IMPACT
Successful exploitation of these vulnerabilities may allow a remote attacker
to make unauthorized configuration changes to the WBM and gain information
about the host network such as wireless account credentials. According
to Baxter, it is not possible to change infusion parameters using the
identified vulnerabilities. In addition, the SIGMA Spectrum Infusion Pump
does not contain any personally identifiable information or patient health
information.
Impact to individual organizations depends on many factors that are unique
to each organization. ICS-CERT recommends that organizations evaluate the
impact of these vulnerabilities based on their operational environment
and specific clinical usage.
BACKGROUND
Baxter is a US-based company that maintains offices worldwide, including
the US, UK, Italy, India, Germany, France, China, and Australia.
The affected product, the SIGMA Spectrum Infusion System, is an intravenous
pump that delivers medication to patients. According to Baxter, SIGMA
Spectrum Infusion Systems are deployed across the Healthcare and Public
Health sector. Baxter estimates that these products are used in the US
and Canada.
VULNERABILITY CHARACTERIZATION
VULNERABILITY OVERVIEW
USE OF HARD-CODED PASSWORD[a]
Baxter's SIGMA Spectrum infusion pumps contain a hard-coded password, which
provides access to basic biomedical information, limited device settings,
and network configuration of the WBM, if connected. The hard-coded password
may allow an attacker with physical access to the device to access management
functions to make unauthorized configuration changes to biomedical settings
such as turn on and off wireless connections and the phase-complete audible
alarm that indicates the end of an infusion phase.
CVE-2014-5431[b] has been assigned to this vulnerability. A CVSS
v2 base score of 4.6 has been assigned; the CVSS vector string is
(AV:L/AC:L/Au:N/C:P/I:P/A:P).[c]
AUTHENTICATION BYPASS ISSUES[d]
The WBM is remotely accessible via Port 22/SSH without authentication. A
remote attacker may be able to make unauthorized configuration changes
to the WBM, as well as issue commands to access account credentials and
shared keys. Baxter asserts that this vulnerability only allows access to
features and functionality on the WBM and that the SIGMA Spectrum infusion
pump cannot be controlled from the WBM.
CVE-2014-5432[e] has been assigned to this vulnerability. A CVSS
v2 base score of 7.5 has been assigned; the CVSS vector string is
(AV:N/AC:L/Au:N/C:P/I:P/A:P).[f]
CLEARTEXT STORAGE OF SENSITIVE INFORMATION[g]
An unauthenticated remote attacker may be able to execute commands to
view wireless account credentials that are stored in cleartext on the WBM,
which may allow an attacker to gain access the host network.
CVE-2014-5433[h] has been assigned to this vulnerability. A CVSS
v2 base score of 9.0 has been assigned; the CVSS vector string is
(AV:N/AC:L/Au:N/C:C/I:P/A:P).[i]
USE OF HARD-CODED PASSWORD[j]
The WBM has a default account with hard-coded credentials used with the
FTP protocol. Baxter asserts no files can be transferred to or from the
WBM using this account.
CVE-2014-5434[k] has been assigned to this vulnerability. Baxter
has assigned a CVSS v2 base score of 5.0; the CVSS vector string is
(AV:N/AC:L/Au:N/C:P/I:N/A:N).[l]
VULNERABILITY DETAILS
EXPLOITABILITY
Three of the four vulnerabilities could be exploited remotely. Exploitation
of the hard-coded password vulnerability requires local access.
EXISTENCE OF EXPLOIT
No known public exploits specifically target these vulnerabilities.
DIFFICULTY
An attacker with a low skill level would be able to exploit these
vulnerabilities.
MITIGATION
Baxter offers the following recommendations to help mitigate risks associated
with these vulnerabilities in the SIGMA Spectrum Infusion System running
Version 6.05 with WBM Version 16.
Ensure that the WI-FI network supporting WBMs is secured using a secure
WI-FI protocol.
Separate the network supporting the WBMs with a standalone VLAN or
use similarly segmented network topography to isolate WBMs. This
would require an attacker to compromise the standalone WI-FI network
or otherwise gain access to the supporting VLAN before SSH access to
the WBM is possible.
Configure Wireless Access Points and Firewalls, which provide access
to the VLAN, to block Port 21/FTP and Port 22/SSH.
Ensure that network authentication credentials used by the WBM to
connect to the network are properly restricted to only allow access
to the wireless network.
As a last resort, customers may disable wireless operation of the
pump. The Sigma Spectrum Infusion System was designed to operate without
network access. This action would impact an organization's ability to
rapidly deploy drug library (formulary) updates to their pumps.
Baxter states that it has implemented a process to continually
evaluate cybersecurity risks and has defined a roadmap to mitigate
vulnerabilities. Baxter has released a new version of the SIGMA Spectrum
Infusion System, Version 8, which incorporates hardware and software changes
that do not contain three of the four identified vulnerabilities. In Version
8, Baxter has addressed the authentication bypass issue by removing the SSH
service from the WBM. The new version addresses the clear text storage of
sensitive information through modifications to the commands used to expose
network and WI-FI credentials on the WBM; security key information is now
masked or otherwise removed from command outputs. Furthermore, the path
to gain access to these commands is closed, as the SSH service has been
removed. In Version 8, Baxter has addressed the FTP hard-coded password
vulnerability by removing the FTP service from the WBM. Baxter has engaged
an independent security expert to confirm that Version 8 does not contain
the three remotely exploitable vulnerabilities.
Baxter has performed a cybersecurity risk analysis and has evaluated the
potential impact of the hard-coded password to access the device as being
low. Baxter plans to address this in a future release. Baxter recommends
that facilities employ physical security controls to ensure the safety of
the pump and WBM.
For additional information about the vulnerabilities, compensating measures,
or the new version of the SIGMA Spectrum Infusion System, contact Baxter
Technical Support at: 1-800-843-7867 or via email at: gts@baxter.com.
ICS-CERT encourages asset owners to take additional defensive measures to
protect against this and other cybersecurity risks.
Minimize network exposure for all medical devices and/or systems and
ensure that they are not accessible from the Internet.
Locate all medical devices and/or systems behind firewalls and isolate
them from the business network.
When remote access is required, use secure methods, such as Virtual
Private Networks (VPNs), recognizing that VPNs may have vulnerabilities
and should be updated to the most current version available. Also
recognize that VPN is only as secure as the connected devices.
ICS-CERT also provides a section for security
recommended practices on the ICS-CERT web page at:
http://ics-cert.us-cert.gov/content/recommended-practices. ICS-CERT reminds
organizations to perform proper impact analysis and risk assessment prior
to deploying defensive measures.
Additional mitigation guidance and recommended practices are
publicly available in the ICS-CERT Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies, that is available for download from the ICS-CERT web site
(http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to ICS-CERT for
tracking and correlation against other incidents.
a.
CWE-259: Use of Hard-coded Password,
http://cwe.mitre.org/data/definitions/259.html, web site last accessed
June 30, 2015.
b.
NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5431,
NIST uses this advisory to create the CVE web site report. This web
site will be active sometime after publication of this advisory.
c.
CVSS Calculator,
http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:L/AC:L/Au:N/C:P/I:P/A:P,
web site last accessed June 30, 2015.
d.
CWE-592: Authentication Bypass Issues,
http://cwe.mitre.org/data/definitions/592.html, web site last accessed
June 30, 2015.
e.
NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5432,
NIST uses this advisory to create the CVE web site report. This web
site will be active sometime after publication of this advisory.
f.
CVSS Calculator,
http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P,
web site last accessed June 30, 2015.
g.
CWE-312: Cleartext Storage of Sensitive Information,
http://cwe.mitre.org/data/definitions/312.html, web site last accessed
June 30, 2015.
h.
NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5433,
NIST uses this advisory to create the CVE web site report. This web
site will be active sometime after publication of this advisory.
i.
CVSS Calculator,
http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:C/I:P/A:P,
web site last accessed June 30, 2015.
j.
CWE-259: Use of Hard-coded Password,
http://cwe.mitre.org/data/definitions/259.html, web site last accessed
June 30, 2015.
k.
NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5434,
NIST uses this advisory to create the CVE web site report. This web
site will be active sometime after publication of this advisory.
l.
CVSS Calculator,
http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N,
web site last accessed June 30, 2015.
Contact Information
For any questions related to this report, please contact ICS-CERT at:
Email: ics-cert@hq.dhs.gov
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900
For industrial control systems security information and incident reporting:
http://ics-cert.us-cert.gov
ICS-CERT continuously strives to improve its products and services. You
can help by choosing one of the links below to provide feedback about
this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVgx34X6ZAP0PgtI9AQKPPhAAsHPlyiORx4ImbjawHOwsmqhNWjyyeSL2
vjPZ3nG41bWFUM/aFszz8afMWxIXbvdZ+ZV5bUlPlNo6I5ro0xL4amt5RWnzHVui
HcO0PwMZ3LYUtmU2+oN8DzHMHOIxLQBoLzR4jEmrYgCkUSjyNz0pMXESC3ZZsa7q
GpnN5lmlh0dwjxzidltcXk87jC2aHopGIQ9CMvJoBrmluXkTdD1WQIyeE1vNtlkA
lQHYb95BQdptx0Laq4vcp3/34zmVw8u+4JvTBwZ1QmjY/kqSSG0tVpB9EF2PL+BH
uzSaOpx5MSEIYZ+vqT8Rfn7jWbYUY/inwGVq2uLJChxXul7YFwt1MoltHYUdSTOQ
gZM9zXPI4wdSOjSBS7HYuqil1AKOpLH4EqlVTkCdoKeO+fZqyoG/85zdDhnlNgzt
beY2Wj+zV1zHrFoMM8Jq7d7gmbaEcidCMWYOKlgnRqqjG1A4Q0cf2JRuXtmb8a7L
DIqlgufv/LT8bRQnyGSr81Y7Ksmtr5dkbsWZC9RpblAJ7aYnrx9x4LMmUwwNsHw9
jhkBp+V05ugv+to+3tuNj8ib+xc+O9VkSzCnCeszm7h6AO6C43ZmYG0kE5jGrFUs
BvLo5FyTagyEtX1CHYxRBRiBiDGPVq9krZB68EU1AaMhyuKD5luN0+qfsTOPUT8/
kMgZfYUGvC0=
=Y5/W
-----END PGP SIGNATURE-----