Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.0166
Hospira Multiple Products Buffer Overflow Vulnerability
25 January 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Hospira LifeCare PCA Infusion System
Hospira Plum A+ Infusion System
Hospira Plum A+3 Infusion System
Publisher: US-CERT
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-7909
Original Bulletin:
http://ics-cert.us-cert.gov/advisories/ICSA-15-337-02
- --------------------------BEGIN INCLUDED TEXT--------------------
Advisory (ICSA-15-337-02)
Hospira Multiple Products Buffer Overflow Vulnerability
Original release date: January 21, 2016
Legal Notice
All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For
more information about TLP, see http://www.us-cert.gov/tlp/.
OVERVIEW
This advisory was originally posted to the US-CERT secure Portal library on
December 3, 2015, and is being released to the NCCIC/ICS-CERT web site.
Jeremy Richards of SAINT Corporation has identified a buffer overflow
vulnerability in Hospiras LifeCare PCA Infusion System. Hospira has determined
that LifeCare PCA Infusion Systems released prior to July 2009 that are
running Communication Engine (CE) Version 1.0 or earlier are vulnerable. In
response to Jeremy Richards reported vulnerability, Hospira has assessed other
products and determined that Plum A+/A+3 Infusion Systems, released prior to
March 2009 and running CE Version 1.0 or earlier versions, also contain the
identified vulnerability. Hospira has confirmed that LifeCare PCA and Plum
A+/A+3 Infusion Systems, running CE Version 1.2 or later versions, sold after
the aforementioned dates, are not vulnerable.
This vulnerability could be exploited remotely.
AFFECTED PRODUCTS
The following product configurations are affected:
LifeCare PCA Infusion System, Version 5.07 running CE Version 1.0 or earlier,
released prior to July 2009;
Plum A+ Infusion System, Version 13.40 running CE Version 1.0 or earlier,
released prior to March 2009; and
Plum A+3 Infusion System, Version 13.40 running CE Version 1.0 or earlier,
released prior to March 2009.
IMPACT
Successful exploitation of the buffer overflow vulnerability may allow an
attacker to remotely execute code on the affected device. Remote code
execution has not been demonstrated by Hospira or the researcher. However,
acting out of an abundance of caution, ICS-CERT is including this information
to enhance healthcare providers awareness of this potential risk, so that
additional monitoring and controls can be applied.
Impact to individual organizations depends on many factors that are unique to
each organization. ICS-CERT recommends that organizations evaluate the impact
of this vulnerability based on their operational environment and specific
clinical usage.
BACKGROUND
Hospira is a US-based company that maintains offices in several countries
around the world.
The affected products, the LifeCare PCA Infusion System and the Plum A+/A+3
Infusion System, are intravenous pumps that deliver medication to patients.
The affected products are deployed across the Healthcare and Public Health
Sector. Hospira estimates that LifeCare PCA Infusion Systems are primarily
used in the US and Canada. Hospira estimates that Plum A+ Infusion Systems are
used worldwide.
VULNERABILITY CHARACTERIZATION
VULNERABILITY OVERVIEW
STACK-BASED BUFFER OVERFLOW [a]
Hospira has confirmed that older communication engines, versions prior to CE
Version 1.2, contain a remotely accessible buffer overflow vulnerability, via
Port 5000/TCP.
CVE-2015-7909 [b] has been assigned to this vulnerability. A CVSS v3 base score
of 7.3 has been assigned; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). [c]
VULNERABILITY DETAILS
EXPLOITABILITY
This vulnerability could be exploited remotely.
EXISTENCE OF EXPLOIT
No known public exploits specifically target this vulnerability.
DIFFICULTY
An attacker with a low skill would be able to exploit this vulnerability.
MITIGATION
Hospiras LifeCare PCA Infusion System, released after July 2009 that uses CE
Version 1.2 or later versions, does not contain the identified vulnerability.
Hospiras Plum A+/A+3 Infusion Systems, released after March 2009 that use CE
Version 1.2 or later versions do not contain the identified vulnerability.
Hospira is working with a third-party organization that has validated that the
CE Version 1.2 and later versions do not contain the reported vulnerability.
Hospira recommends that customers using vulnerable versions of LifeCare PCA or
Plum A+/A+3 Infusion Systems should contact Hospiras Advanced Knowledge Center
to discuss options. Contact information for Hospiras Advanced Knowledge Center
is available at the following URL:
http://www.hospira.com/en/support_center/support_infusion_pumps_and_software/support_tsc
(link is external)
ICS-CERT strongly encourages asset owners to perform a risk assessment by
examining their specific clinical use of the affected product in their host
environment to identify any potential impacts of the identified
vulnerabilities. ICS-CERT also reminds organizations to perform a proper
impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT recommends that asset owners operating vulnerable devices should
consider applying the following defensive measures:
Ensure that unused ports are closed on the affected devices to include Port
20/FTP, Port 21/FTP, and Port 23/TELNET.
Ensure that the default password used to access Port 8443 has been changed, or
verify that the port is closed.
Ensure that Port 5000/TCP is closed. Closing Port 5000/TCP does not impact the
intended use of the device.
Monitor and log all network traffic attempting to reach the affected products,
to include Port 20/FTP, Port 21/FTP, Port 23/TELNET, Port 8443, and Port
5000/TCP.
Isolate all medical devices from the Internet and untrusted systems.
Produce a hash of key files to identify any unauthorized changes.
Locate all medical devices and remote devices behind firewalls, and isolate
them from the business network.
When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize that VPN is only
as secure as the connected devices.
The researcher identified the buffer overflow vulnerability in a WiFi enabled
LifeCare PCA 3 Infusion System. Hospira asserts that the LifeCare PCA 3
Infusion System is not indicated for wireless use, is not provided by Hospira
with wireless capabilities, and should not be modified to be used in a
wireless capacity in a clinical setting. Hospira is aware that there may be
PCA 3 infusion pumps that have been modified by unauthorized third parties to
be WiFi enabled. Any PCA 3 devices that have been altered to be WiFi enabled
have not been validated by Hospira, they are not authorized by Hospira for
this use, and they are not legally marketed prescription medical devices.
Hospira recommends that any customer using a LifeCare PCA3 Infusion System
that has been modified for wireless use should contact Hospiras Advanced
Knowledge Center.
ICS-CERT also provides a section for security recommended practices on the
ICS-CERT web page at:
http://ics-cert.us-cert.gov/content/recommended-practices.
Additional mitigation guidance and recommended practices are publicly
available in the ICSCERT Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies, that is available for download from the ICS-CERT web site
(http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to ICS-CERT for
tracking and correlation against other incidents.
a. CWE-121: Stack-based Buffer Overflow,
http://cwe.mitre.org/data/definitions/121.html, web site last accessed
December 03, 2015.
b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7909, NIST
uses this advisory to create the CVE web site report. This web site will be
active sometime after publication of this advisory.
c. CVSS Calculator,
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S...,
web site last accessed December 03, 2015.
Contact Information
For any questions related to this report, please contact ICS-CERT at:
Email: ics-cert@hq.dhs.gov (link sends e-mail)
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900
For industrial control systems security information and incident reporting:
http://ics-cert.us-cert.gov
ICS-CERT continuously strives to improve its products and services. You can
help by choosing one of the links below to provide feedback about this
product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVqVvUX6ZAP0PgtI9AQK4wxAAgT2AeGD0qMYqLKlfGXWxn6NdA4mJUh5u
WB1prEyvKdaZrl3IHFJ8QmEpxluxSzJBz7pVVlqwx5jvXKsRz9Xbr0vB7LyRgZf8
y2TIDiquDtcwQ1Rgr9sKOfO9ZIRxAJcFDlQJR2CpyOykPe++uKwxw1lhiTPx58Vn
vVwY7nl4SNhcvHf69hcA/RNJoF0JWy+j95viqiW7/fP/D/z8ojhOglkpvX2gRfgG
t/jCbbGw1CumlpzLeVkk+douwvZpwCM6VDX9LJ7aAQOqIv3CMwlzSpPsKL6HqRMf
9NYJGSgg5YwLflGx7cUvDBuZ9OSp3+O5pyosYAQ2wA5zTbdFvl6E8280X1bSxqUe
3ZE1CQsX68PJhcdpEmNZE4fFDiKcq5WIt0E6XQRBkBpEC3kJ1YtQYxuXDWb1HJ6u
LQhC7bGdhhpiEStE3EdRWeYUcpEQB3OfWIzTtJuVVDwwOv+CZW75yofwztGnHdbM
MX6W2vkKuu5kdBsShLkcZyvzFdpVIV/NvL2x8qS1CUwFX42lpoJ7nLSVhlSwAZ+R
nzu6lMQ+tI/+w9lWlPlCz+HvVwXudyOUIivzwnDiWtwoLrIYZ9MHdbPAkYpTqB8V
VXL+KzEZEsAw1xCytBVvL/UKw4Swe2Me1ps5BV2znEGNuuvQka7pbc15JvX/oUjI
bp9DdHDJo8M=
=j/1i
-----END PGP SIGNATURE-----