ICSMA-17-227-01_BMC Medical and 3B Medical Luna CPAP Machine

Monitor4.6ICS-CERT ICSMA-17-227-01Aug 15, 2017

Attack VectorAdjacent

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Luna CPAP machines released prior to July 1, 2017 contain an input validation flaw (CWE-20) that allows an attacker with local network access and valid user credentials to send specially crafted commands to the device. This could result in modification of patient therapy settings, interruption of respiratory support, or denial of service affecting patient care.

What this means

What could happen

An attacker with local network access and valid credentials could modify CPAP therapy settings or interrupt patient treatment, potentially affecting respiratory support for hospitalized or home-care patients.

Who's at risk

Healthcare facilities operating Luna CPAP machines for patient respiratory support, including hospital ICUs, respiratory care units, sleep clinics, and home care agencies managing patients on continuous positive airway pressure therapy.

How it could be exploited

An attacker with network access and valid credentials could send specially crafted commands to the Luna CPAP machine to bypass input validation and modify therapy parameters such as pressure settings or alarm configurations, or cause the device to stop functioning.

Prerequisites

Adjacent network access to the Luna CPAP machine
Valid user credentials or access to an authenticated session
Knowledge of the device's command protocol

No patch available (end-of-life device)Affects critical care equipmentInput validation bypassRequires valid credentials but credentials may be shared or default

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

Luna CPAP Machine: all devices released prior to July 1 2017< july 1 2017No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict administrative access to Luna CPAP machines to authorized clinical and biomedical staff only

Mitigations - no patch available

0/3

Luna CPAP Machine: all devices released prior to July 1 2017 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate Luna CPAP machines on a separate medical device network segment with strict access controls and firewall rules limiting traffic to only essential clinical workstations

HARDENINGImplement network monitoring and logging of all communications to and from Luna CPAP machines to detect unauthorized command attempts

HARDENINGDocument all Luna CPAP devices in your inventory and establish a process to track firmware versions and security status

CVEs (1)

CVE-2017-12701

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d4466c4e-afb5-4888-a690-9a7fca584baa