In-brief: The Department of Homeland Security warned that drug infusion pump management software sold by Hospira contains serious and exploitable vulnerabilities that could be used to remotely take control of the devices.
A popular line of intravenous pumps used worldwide is vulnerable to a range of trivial, remote attacks, according to a warning from The Department of Homeland Security (DHS).
DHS’s Industrial Control System Computer Emergency Response Team (ICS-CERT) said in an advisory issued Tuesday that the MedNet software from the firm Hospira contains four, critical vulnerabilities – three of them capable of being exploited remotely. The vulnerabilities could allow a malicious actor to run malicious code on and take control of the MedNet servers, which could be used to distribute unauthorized modifications to medication libraries and pump configurations.
The MedNet server software manages drug libraries, firmware updates, and configurations of Hospira intravenous pumps. Among other things, MedNet helps hospitals avoid medical errors – such as over- or under dosing. Doctors and nurses can use the software to set upper and lower dosing limits. MedNet is deployed across the Healthcare and Public Health Sector in the U.S., Europe and worldwide.
According to DHS, MedNet software up to and including Version 5.8 are vulnerable. The company has released a new version, 6.1 that addresses the vulnerabilities and is encouraging customers to update.
The vulnerabilities were discovered by independent security researcher Billy Rios and reported to both Hospira and ICS-CERT. The vulnerabilities vary in their severity. Among the most serious is Rios’s discovery of a plaintext, hard-coded password for the SQL database used by the MedNet software (CVE-2014-5405e). By obtaining that password, an attacker could compromise the MedNet SQL server and gain administrative access to the workstation used to manage deployed pumps.
Rios also discovered that the MedNet software uses vulnerable versions of the JBoss Enterprise Application Platform software. That software could allow unauthenticated users to execute arbitrary code on the target system.
The vulnerability assigned to that issue, CVE-2014-5401k, was assigned a CVSS (Common Vulnerability Scoring System) severity rating of 10 – the highest possible rating. While no known public exploits specifically target these vulnerabilities, the alert notes that even an unskilled attacker could exploit the vulnerabilities.
Also discovered by Rios: the MedNet software uses hard-coded cryptographic keys, meaning that the private keys used to encrypt and decrypt communications to and from infusion pumps are written into the MedNet software. An attacker who obtained those keys could intercept and decipher encrypted traffic from infusion pumps.
Finally the MedNet software stores clear text usernames and passwords on the local file system of machines that are used during the installation process. An attacker with physical or logical access to those machines could compromise the MedNet installation, Rios discovered.
In an e-mail to Security Ledger, Rios said the security problems were “pretty nasty,” and said that more details will be forthcoming, though he declined to elaborate.
Hospira’s MedNet 6.1. update resolves the problem of hard-coded passwords, hard-coded cryptographic keys and clear text passwords in the configuration file.
As for the “code execution” flaw linked to the vulnerable JBoss Enterprise Application Platform software, Hospira has published knowledge base articles in August, 2014 to mitigate the threat. MedNet customers are encouraged to contact the company’s technical support line with questions.
Any attack on a vulnerable Hospira device would first have to defeat the security of the hospital’s perimeter and gain access to the internal hospital network. From there, they would need to be able to identify the MedNet devices on the network. Like other organizations, hospitals deploy firewalls, intrusion detection system software and other security products to protect their networks.
Infusion pumps are a special area of concern as hospital networks begin to more closely resemble traditional enterprise IT environments. Specifically: security experts warn that software vulnerabilities that seemed like remote threats when equipment was shunted off onto proprietary medical device networks might be exposed to a wider range of threats and actors – with potentially deadly consequences. The National Institute of Standards and Technology in December released an example of a reference document for securing wireless drug infusion pumps that was meant to be the first in a series of similar documents to provide guidance from the U.S. government for securing connected medical devices.
Also, the Food and Drug Administration (FDA) last year warned medical device makers to pay more attention to the security of their products.