Minnesota-based speciality medical device manufacturer Smiths Medical is working to address several potentially serious vulnerabilities affecting some of the company’s wireless syringe infusion pumps.
According to an advisory published on Thursday by ICS-CERT, Smiths Medical’s Medfusion 4000 wireless syringe infusion pumps, which are used worldwide to deliver small doses of medication from a syringe in acute care settings, are affected by eight vulnerabilities that can be exploited remotely.
The flaws, discovered by independent researcher Scott Gayou, affect products running versions 1.1, 1.5 and 1.6 of the firmware. The vendor has promised to patch the weaknesses with the release of version 1.6.1 in January 2018, and in the meantime it recommends applying a series of defensive measures.
Only few details have been made public about each vulnerability in order to prevent exploitation, but ICS-CERT’s advisory shows that several of the flaws are considered critical or high severity.
“Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump,” ICS-CERT warned.
The most serious security hole, tracked as CVE-2017-12725 with a CVSS score of 9.8, is related to the use of hardcoded credentials to automatically establish a wireless network connection if the default configuration is not changed.
The list of high severity vulnerabilities includes a buffer overflow that can be exploited for code execution in certain conditions (CVE-2017-12718), the lack of authentication and the presence of hardcoded credentials for the device’s FTP server (CVE-2017-12720 and CVE-2017-12724), and the lack of proper host certificate validation (CVE-2017-12721), which exposes the pump to man-in-the-middle (MitM) attacks.
The remaining flaws have been classified as having medium severity and they allow an attacker to crash the device’s communications module (without impacting the therapeutic module), authenticate to telnet via hardcoded credentials, and obtain passwords from configuration files.
Until patches are released, the vendor has advised customers to assign static IP addresses to pumps, monitor network activity for malicious DNS and DHCP servers, install the device on isolated networks, set strong and unique passwords, and regularly create backups.
Additionally, ICS-CERT recommends disabling the FTP server, closing unused ports, monitoring network traffic going to the pump, placing devices behind firewalls, and even temporarily disconnecting the pump from the network until patches become available.