Today the DHS ICS-CERT updated an advisory issued last month for Hospira infusion pump and published a new advisory for similar problems in a newer line of Hospira pumps.
This is one of the most extensive updates I have seen since I have been watching ICS-CERT advisories with 9 separate changes being made. The changes include adding a new researcher (Kyle Kamke of Ramparts, LLC), an impact update, four new vulnerabilities, updating the exploitability rating, modifying the attacker skill level, and adding two new mitigation measures.
The new vulnerabilities are:
∙ Stack-based buffer overflow - CVE-2015-3955;
∙ Insufficient verification of data authenticity - CVE-2014-5406;
∙ Key management error- CVE-2015-3957; and
∙ Uncontrolled resource consumption - CVE-2015-3958
ICS-CERT is now reporting that a relatively low skilled attacker could remotely exploit most of these vulnerabilities which may allow the attacker to impact the core functions of the device.
This advisory is a near duplicate of the updated advisory reported above. The only significant difference is that it is for a newer generation of Hospira Infusion Pumps. Hospira is releasing a new version of the infusion pump system that mitigates these vulnerabilities, but there is no indication that Rios has been given the opportunity to verify the efficacy of the fix.
The FDA advisory that was reported at the time of the last Hospira update has not been changed to reflect the new vulnerabilities or the new equipment. In fact, the link on that advisory still takes one to the old ICS-CERT advisory, which is no longer available. This is not an unusual problem when government agencies provide links to other agency web sites; very little inter-silo communication.
Billy Rios has an interesting blog post about the whole Hospira fiasco from his perspective as the researcher who has been working the issue for over a year now.