Smiths Medical CADD-Solis Medication Safety Software Vulnerabilities

Act Now9.9ICS-CERT ICSMA-16-306-01Aug 5, 2016

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Smiths Medical CADD-Solis Medication Safety Software versions 1.0 through 3.1 contain improper access control and permission issues (CWE-300, CWE-732) that could allow authenticated users with limited privileges to escalate to administrator access or modify medication delivery parameters and safety settings. The vulnerabilities enable unauthorized changes to infusion pump configurations and treatment protocols through the software's network management interface.

What this means

What could happen

An authenticated user with low privileges could escalate their access to administrator level or modify medication delivery parameters on infusion pumps, potentially altering drug dosages or treatment protocols without authorization.

Who's at risk

Healthcare facilities using Smiths Medical CADD-Solis medication infusion systems, particularly inpatient pharmacies, intensive care units, and medication management departments that rely on this software for pump configuration and dosage oversight.

How it could be exploited

An attacker with valid user credentials and network access to the CADD-Solis software system could exploit improper access controls or privilege escalation vulnerabilities to gain administrator privileges, then modify medication safety settings or infusion pump configurations remotely.

Prerequisites

Valid CADD-Solis user account credentials
Network access to CADD-Solis software server or management interface
Running one of the affected versions (1.0, 2.0, 3.0, or 3.1)

Requires valid credentials but low privilege level sufficientLow complexity exploitationNo patch available for any affected versionAffects medication safety systemsHigh CVSS score (9.9)

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (4)

4 pending

ProductAffected VersionsFix Status

CADD-Solis Medication Safety Software: 1.01.0No fix yet

CADD-Solis Medication Safety Software: 2.02.0No fix yet

CADD-Solis Medication Safety Software: 3.03.0No fix yet

CADD-Solis Medication Safety Software: 3.13.1No fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate CADD-Solis systems on a dedicated network segment with restricted access controls; limit user access to the management interface to only authorized personnel

HARDENINGImplement network-level monitoring and access logging for all CADD-Solis management traffic to detect unauthorized configuration changes

HARDENINGEnforce strong password policies and multi-factor authentication (if supported) for all CADD-Solis user accounts

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGConduct regular audits of user access permissions and verify that users have only the minimum privileges required for their role

WORKAROUNDContact Smiths Medical to request information on available security updates or recommendations for version upgrade paths

CVEs (2)

CVE-2016-8358 CVE-2016-8355

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/57d48c3d-9b32-42b4-b308-d2604c5149bd