Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

          Hospira Multiple Products Buffer Overflow Vulnerability
                              25 January 2016


        AusCERT Security Bulletin Summary

Product:           Hospira LifeCare PCA Infusion System
                   Hospira Plum A+ Infusion System
                   Hospira Plum A+3 Infusion System
Publisher:         US-CERT
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-7909  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSA-15-337-02)

Hospira Multiple Products Buffer Overflow Vulnerability

Original release date: January 21, 2016

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security 
(DHS) does not provide any warranties of any kind regarding any information 
contained within. DHS does not endorse any commercial product or service, 
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For 
more information about TLP, see http://www.us-cert.gov/tlp/.


This advisory was originally posted to the US-CERT secure Portal library on 
December 3, 2015, and is being released to the NCCIC/ICS-CERT web site.

Jeremy Richards of SAINT Corporation has identified a buffer overflow 
vulnerability in Hospiras LifeCare PCA Infusion System. Hospira has determined
that LifeCare PCA Infusion Systems released prior to July 2009 that are 
running Communication Engine (CE) Version 1.0 or earlier are vulnerable. In 
response to Jeremy Richards reported vulnerability, Hospira has assessed other
products and determined that Plum A+/A+3 Infusion Systems, released prior to 
March 2009 and running CE Version 1.0 or earlier versions, also contain the 
identified vulnerability. Hospira has confirmed that LifeCare PCA and Plum 
A+/A+3 Infusion Systems, running CE Version 1.2 or later versions, sold after
the aforementioned dates, are not vulnerable.

This vulnerability could be exploited remotely.


The following product configurations are affected:

LifeCare PCA Infusion System, Version 5.07 running CE Version 1.0 or earlier,
released prior to July 2009;

Plum A+ Infusion System, Version 13.40 running CE Version 1.0 or earlier, 
released prior to March 2009; and

Plum A+3 Infusion System, Version 13.40 running CE Version 1.0 or earlier, 
released prior to March 2009.


Successful exploitation of the buffer overflow vulnerability may allow an 
attacker to remotely execute code on the affected device. Remote code 
execution has not been demonstrated by Hospira or the researcher. However, 
acting out of an abundance of caution, ICS-CERT is including this information
to enhance healthcare providers awareness of this potential risk, so that 
additional monitoring and controls can be applied.

Impact to individual organizations depends on many factors that are unique to
each organization. ICS-CERT recommends that organizations evaluate the impact
of this vulnerability based on their operational environment and specific 
clinical usage.


Hospira is a US-based company that maintains offices in several countries 
around the world.

The affected products, the LifeCare PCA Infusion System and the Plum A+/A+3 
Infusion System, are intravenous pumps that deliver medication to patients. 
The affected products are deployed across the Healthcare and Public Health 
Sector. Hospira estimates that LifeCare PCA Infusion Systems are primarily 
used in the US and Canada. Hospira estimates that Plum A+ Infusion Systems are
used worldwide.




Hospira has confirmed that older communication engines, versions prior to CE 
Version 1.2, contain a remotely accessible buffer overflow vulnerability, via
Port 5000/TCP.

CVE-2015-7909 [b] has been assigned to this vulnerability. A CVSS v3 base score 
of 7.3 has been assigned; the CVSS vector string is 
(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). [c]



This vulnerability could be exploited remotely.


No known public exploits specifically target this vulnerability.


An attacker with a low skill would be able to exploit this vulnerability.


Hospiras LifeCare PCA Infusion System, released after July 2009 that uses CE 
Version 1.2 or later versions, does not contain the identified vulnerability.
Hospiras Plum A+/A+3 Infusion Systems, released after March 2009 that use CE 
Version 1.2 or later versions do not contain the identified vulnerability. 
Hospira is working with a third-party organization that has validated that the
CE Version 1.2 and later versions do not contain the reported vulnerability.

Hospira recommends that customers using vulnerable versions of LifeCare PCA or
Plum A+/A+3 Infusion Systems should contact Hospiras Advanced Knowledge Center
to discuss options. Contact information for Hospiras Advanced Knowledge Center
is available at the following URL:

(link is external)

ICS-CERT strongly encourages asset owners to perform a risk assessment by 
examining their specific clinical use of the affected product in their host 
environment to identify any potential impacts of the identified 
vulnerabilities. ICS-CERT also reminds organizations to perform a proper 
impact analysis and risk assessment prior to deploying defensive measures. 
ICS-CERT recommends that asset owners operating vulnerable devices should 
consider applying the following defensive measures:

Ensure that unused ports are closed on the affected devices to include Port 
20/FTP, Port 21/FTP, and Port 23/TELNET.

Ensure that the default password used to access Port 8443 has been changed, or
verify that the port is closed.

Ensure that Port 5000/TCP is closed. Closing Port 5000/TCP does not impact the
intended use of the device.

Monitor and log all network traffic attempting to reach the affected products,
to include Port 20/FTP, Port 21/FTP, Port 23/TELNET, Port 8443, and Port 

Isolate all medical devices from the Internet and untrusted systems.

Produce a hash of key files to identify any unauthorized changes.

Locate all medical devices and remote devices behind firewalls, and isolate 
them from the business network.

When remote access is required, use secure methods, such as Virtual Private 
Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize that VPN is only
as secure as the connected devices.

The researcher identified the buffer overflow vulnerability in a WiFi enabled
LifeCare PCA 3 Infusion System. Hospira asserts that the LifeCare PCA 3 
Infusion System is not indicated for wireless use, is not provided by Hospira
with wireless capabilities, and should not be modified to be used in a 
wireless capacity in a clinical setting. Hospira is aware that there may be 
PCA 3 infusion pumps that have been modified by unauthorized third parties to
be WiFi enabled. Any PCA 3 devices that have been altered to be WiFi enabled 
have not been validated by Hospira, they are not authorized by Hospira for 
this use, and they are not legally marketed prescription medical devices. 
Hospira recommends that any customer using a LifeCare PCA3 Infusion System 
that has been modified for wireless use should contact Hospiras Advanced 
Knowledge Center.

ICS-CERT also provides a section for security recommended practices on the 
ICS-CERT web page at: 

Additional mitigation guidance and recommended practices are publicly 
available in the ICSCERT Technical Information Paper, 
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation 
Strategies, that is available for download from the ICS-CERT web site 

Organizations observing any suspected malicious activity should follow their 
established internal procedures and report their findings to ICS-CERT for 
tracking and correlation against other incidents.

a. CWE-121: Stack-based Buffer Overflow, 
http://cwe.mitre.org/data/definitions/121.html, web site last accessed 
December 03, 2015.

b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7909, NIST 
uses this advisory to create the CVE web site report. This web site will be 
active sometime after publication of this advisory.

c. CVSS Calculator, 
web site last accessed December 03, 2015.

Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: ics-cert@hq.dhs.gov (link sends e-mail)

Toll Free: 1-877-776-7585

International Callers: (208) 526-0900

For industrial control systems security information and incident reporting: 

ICS-CERT continuously strives to improve its products and services. You can 
help by choosing one of the links below to provide feedback about this 

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967