Hospira Multiple Products Buffer Overflow Vulnerability

Monitor7.3ICS-CERT ICSA-15-337-02Sep 5, 2015

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Hospira LifeCare PCA Infusion System and Plum A+ (versions 13.40) and Plum A+3 (version 13.40) infusion pumps contain a buffer overflow vulnerability (CWE-121) accessible over the network without authentication. The vulnerability could allow an attacker to crash the device or execute arbitrary code. No vendor patches are available for the affected product versions.

What this means

What could happen

A buffer overflow in Hospira infusion pump systems could allow an attacker to crash the device or execute unauthorized code, potentially interrupting drug delivery to patients or altering medication doses.

Who's at risk

Healthcare facilities operating Hospira LifeCare PCA, Plum A+, or Plum A+3 infusion pump systems should take immediate action. Infusion pumps are critical-care devices that directly control medication delivery; any disruption or manipulation poses a direct risk to patient safety.

How it could be exploited

An attacker with network access to an affected infusion pump could send a specially crafted network message to trigger the buffer overflow. This could happen if the pump is connected to a clinical network or accessible via a networked hospital system.

Prerequisites

Network access to the infusion pump on the clinical network
No authentication required to trigger the vulnerability

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects patient safety systemsMedical device with patient-facing impact

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

LifeCare PCA Infusion System (running CE5.07No fix (EOL)

Plum A+ Infusion System (running CE13.40No fix (EOL)

Plum A+3 Infusion System (running CE13.40No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate affected Hospira infusion pumps from network connectivity where clinically feasible; use manual operation or air-gap the device if it does not require network access for critical functions

HARDENINGImplement network segmentation and firewall rules to restrict access to infusion pump management ports; limit communication to only authorized clinical engineering workstations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDMonitor network traffic to and from infusion pumps for unusual connection attempts or malformed packets

HARDENINGContact Hospira/Baxter for clarification on end-of-life status and potential extended support options for these systems

CVEs (1)

CVE-2015-7909

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/86825c39-814b-4cf4-8c69-c7ed74593435