Hospira Plum A+ and Symbiq Infusion Systems Vulnerabilities

Act NowICS-CERT ICSA-15-161-01Mar 13, 2015

Summary

Hospira Plum A+ and Symbiq Infusion Systems contain multiple vulnerabilities including inadequate encryption, cleartext credential storage, weak access controls, buffer overflow, and resource management issues. The Symbiq Infusion System is an end-of-life product retired in May 2015 with closure of FTP (port 20) and TELNET (port 23) during service visits. No vendor patches are available for any affected product versions.

What this means

What could happen

An attacker who gains network access to these infusion systems could intercept unencrypted communications, steal stored credentials, bypass authentication controls, cause system crashes, or potentially execute arbitrary code on the device, disrupting drug delivery to patients.

Who's at risk

Healthcare facilities operating Hospira Plum A+, Plum A+3, or Symbiq infusion pumps. These devices deliver critical medications and anesthetics to patients; any compromise could affect patient safety and clinical operations. Particular concern for Symbiq systems as the product is end-of-life with no vendor support.

How it could be exploited

An attacker on the same network as the infusion system could connect to unencrypted services (FTP, TELNET on Symbiq, or similar on Plum A+), use intercepted or default credentials to authenticate, and then exploit weak access controls or buffer overflow flaws to gain control of the device or read sensitive data.

Prerequisites

Network access to the infusion system or its connected network
Knowledge of default or weak credentials stored on the device
Access to unencrypted service ports (FTP, TELNET, or equivalent on Plum A+)

No patch availableDefault credentialsCleartext credential storageUnencrypted network communicationBuffer overflow (CWE-121)Weak authentication and authorizationEnd-of-life product (Symbiq)

Exploitability

High exploit probability (EPSS 14.4%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

Plum A+ Infusion System: <=13.4≤ 13.4No fix (EOL)

Plum A+3 Infusion System: <=13.6≤ 13.6No fix (EOL)

Symbiq Infusion System,As previously announced by Hospira in 2013, the Symbiq Infusion System was retired by Hospira on May 31, 2015 and will be fully removed from the market by December 2015. According to Hospira, during a recent service visit, the remaining Symbiq Infusion Systems have had Port 20/FTP and Port 23/TELNET closed: <=3.13≤ 3.13No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGIsolate infusion systems on a segregated clinical network or VLAN with strict access controls; restrict network access to only authorized clinical workstations and medical device servers

WORKAROUNDDisable or block FTP (port 20) and TELNET (port 23) at the network firewall level; if the device requires these protocols for maintenance, require VPN access with multi-factor authentication

WORKAROUNDChange any default credentials on the infusion system if the device interface allows; document new credentials in a secure vault with access restricted to authorized clinical engineers

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to and from infusion systems for suspicious activity; alert on attempts to access unencrypted services or multiple failed authentication attempts

HARDENINGFor Symbiq systems: Develop a transition plan to replace end-of-life devices with newer supported models on an expedited timeline; prioritize facilities with the highest patient volume or critical care usage

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Plum A+ Infusion System: <=13.4, Plum A+3 Infusion System: <=13.6, Symbiq Infusion System,As previously announced by Hospira in 2013, the Symbiq Infusion System was retired by Hospira on May 31, 2015 and will be fully removed from the market by December 2015. According to Hospira, during a recent service visit, the remaining Symbiq Infusion Systems have had Port 20/FTP and Port 23/TELNET closed: <=3.13. Apply the following compensating controls:

HARDENINGFor Plum A+ and A+3 systems: Contact Hospira for guidance on extended support options or risk acceptance for systems that cannot be replaced immediately

CVEs (7)

CVE-2015-3955 CVE-2015-3952 CVE-2015-3953 CVE-2015-3954 CVE-2015-3956 CVE-2015-3957 CVE-2015-3958

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0985d7b9-772b-42c5-8c78-5c868cc9ed10