Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0166 Hospira Multiple Products Buffer Overflow Vulnerability 25 January 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Hospira LifeCare PCA Infusion System Hospira Plum A+ Infusion System Hospira Plum A+3 Infusion System Publisher: US-CERT Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-7909 Original Bulletin: http://ics-cert.us-cert.gov/advisories/ICSA-15-337-02 - --------------------------BEGIN INCLUDED TEXT-------------------- Advisory (ICSA-15-337-02) Hospira Multiple Products Buffer Overflow Vulnerability Original release date: January 21, 2016 Legal Notice All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/. OVERVIEW This advisory was originally posted to the US-CERT secure Portal library on December 3, 2015, and is being released to the NCCIC/ICS-CERT web site. Jeremy Richards of SAINT Corporation has identified a buffer overflow vulnerability in Hospiras LifeCare PCA Infusion System. Hospira has determined that LifeCare PCA Infusion Systems released prior to July 2009 that are running Communication Engine (CE) Version 1.0 or earlier are vulnerable. In response to Jeremy Richards reported vulnerability, Hospira has assessed other products and determined that Plum A+/A+3 Infusion Systems, released prior to March 2009 and running CE Version 1.0 or earlier versions, also contain the identified vulnerability. Hospira has confirmed that LifeCare PCA and Plum A+/A+3 Infusion Systems, running CE Version 1.2 or later versions, sold after the aforementioned dates, are not vulnerable. This vulnerability could be exploited remotely. AFFECTED PRODUCTS The following product configurations are affected: LifeCare PCA Infusion System, Version 5.07 running CE Version 1.0 or earlier, released prior to July 2009; Plum A+ Infusion System, Version 13.40 running CE Version 1.0 or earlier, released prior to March 2009; and Plum A+3 Infusion System, Version 13.40 running CE Version 1.0 or earlier, released prior to March 2009. IMPACT Successful exploitation of the buffer overflow vulnerability may allow an attacker to remotely execute code on the affected device. Remote code execution has not been demonstrated by Hospira or the researcher. However, acting out of an abundance of caution, ICS-CERT is including this information to enhance healthcare providers awareness of this potential risk, so that additional monitoring and controls can be applied. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment and specific clinical usage. BACKGROUND Hospira is a US-based company that maintains offices in several countries around the world. The affected products, the LifeCare PCA Infusion System and the Plum A+/A+3 Infusion System, are intravenous pumps that deliver medication to patients. The affected products are deployed across the Healthcare and Public Health Sector. Hospira estimates that LifeCare PCA Infusion Systems are primarily used in the US and Canada. Hospira estimates that Plum A+ Infusion Systems are used worldwide. VULNERABILITY CHARACTERIZATION VULNERABILITY OVERVIEW STACK-BASED BUFFER OVERFLOW [a] Hospira has confirmed that older communication engines, versions prior to CE Version 1.2, contain a remotely accessible buffer overflow vulnerability, via Port 5000/TCP. CVE-2015-7909 [b] has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). [c] VULNERABILITY DETAILS EXPLOITABILITY This vulnerability could be exploited remotely. EXISTENCE OF EXPLOIT No known public exploits specifically target this vulnerability. DIFFICULTY An attacker with a low skill would be able to exploit this vulnerability. MITIGATION Hospiras LifeCare PCA Infusion System, released after July 2009 that uses CE Version 1.2 or later versions, does not contain the identified vulnerability. Hospiras Plum A+/A+3 Infusion Systems, released after March 2009 that use CE Version 1.2 or later versions do not contain the identified vulnerability. Hospira is working with a third-party organization that has validated that the CE Version 1.2 and later versions do not contain the reported vulnerability. Hospira recommends that customers using vulnerable versions of LifeCare PCA or Plum A+/A+3 Infusion Systems should contact Hospiras Advanced Knowledge Center to discuss options. Contact information for Hospiras Advanced Knowledge Center is available at the following URL: http://www.hospira.com/en/support_center/support_infusion_pumps_and_software/support_tsc (link is external) ICS-CERT strongly encourages asset owners to perform a risk assessment by examining their specific clinical use of the affected product in their host environment to identify any potential impacts of the identified vulnerabilities. ICS-CERT also reminds organizations to perform a proper impact analysis and risk assessment prior to deploying defensive measures. ICS-CERT recommends that asset owners operating vulnerable devices should consider applying the following defensive measures: Ensure that unused ports are closed on the affected devices to include Port 20/FTP, Port 21/FTP, and Port 23/TELNET. Ensure that the default password used to access Port 8443 has been changed, or verify that the port is closed. Ensure that Port 5000/TCP is closed. Closing Port 5000/TCP does not impact the intended use of the device. Monitor and log all network traffic attempting to reach the affected products, to include Port 20/FTP, Port 21/FTP, Port 23/TELNET, Port 8443, and Port 5000/TCP. Isolate all medical devices from the Internet and untrusted systems. Produce a hash of key files to identify any unauthorized changes. Locate all medical devices and remote devices behind firewalls, and isolate them from the business network. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. The researcher identified the buffer overflow vulnerability in a WiFi enabled LifeCare PCA 3 Infusion System. Hospira asserts that the LifeCare PCA 3 Infusion System is not indicated for wireless use, is not provided by Hospira with wireless capabilities, and should not be modified to be used in a wireless capacity in a clinical setting. Hospira is aware that there may be PCA 3 infusion pumps that have been modified by unauthorized third parties to be WiFi enabled. Any PCA 3 devices that have been altered to be WiFi enabled have not been validated by Hospira, they are not authorized by Hospira for this use, and they are not legally marketed prescription medical devices. Hospira recommends that any customer using a LifeCare PCA3 Infusion System that has been modified for wireless use should contact Hospiras Advanced Knowledge Center. ICS-CERT also provides a section for security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Additional mitigation guidance and recommended practices are publicly available in the ICSCERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/). Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. a. CWE-121: Stack-based Buffer Overflow, http://cwe.mitre.org/data/definitions/121.html, web site last accessed December 03, 2015. b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7909, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. c. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S..., web site last accessed December 03, 2015. Contact Information For any questions related to this report, please contact ICS-CERT at: Email: ics-cert@hq.dhs.gov (link sends e-mail) Toll Free: 1-877-776-7585 International Callers: (208) 526-0900 For industrial control systems security information and incident reporting: http://ics-cert.us-cert.gov ICS-CERT continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVqVvUX6ZAP0PgtI9AQK4wxAAgT2AeGD0qMYqLKlfGXWxn6NdA4mJUh5u WB1prEyvKdaZrl3IHFJ8QmEpxluxSzJBz7pVVlqwx5jvXKsRz9Xbr0vB7LyRgZf8 y2TIDiquDtcwQ1Rgr9sKOfO9ZIRxAJcFDlQJR2CpyOykPe++uKwxw1lhiTPx58Vn vVwY7nl4SNhcvHf69hcA/RNJoF0JWy+j95viqiW7/fP/D/z8ojhOglkpvX2gRfgG t/jCbbGw1CumlpzLeVkk+douwvZpwCM6VDX9LJ7aAQOqIv3CMwlzSpPsKL6HqRMf 9NYJGSgg5YwLflGx7cUvDBuZ9OSp3+O5pyosYAQ2wA5zTbdFvl6E8280X1bSxqUe 3ZE1CQsX68PJhcdpEmNZE4fFDiKcq5WIt0E6XQRBkBpEC3kJ1YtQYxuXDWb1HJ6u LQhC7bGdhhpiEStE3EdRWeYUcpEQB3OfWIzTtJuVVDwwOv+CZW75yofwztGnHdbM MX6W2vkKuu5kdBsShLkcZyvzFdpVIV/NvL2x8qS1CUwFX42lpoJ7nLSVhlSwAZ+R nzu6lMQ+tI/+w9lWlPlCz+HvVwXudyOUIivzwnDiWtwoLrIYZ9MHdbPAkYpTqB8V VXL+KzEZEsAw1xCytBVvL/UKw4Swe2Me1ps5BV2znEGNuuvQka7pbc15JvX/oUjI bp9DdHDJo8M= =j/1i -----END PGP SIGNATURE-----