This morning the DHS ICS-CERT published two advisories for control systems from Hospira and CAREL.
This advisory describes a buffer overflow vulnerability in two older versions of Hospira infusion pumps. The vulnerability was reported by Jeremy Richards of SAINT Corporation. Existing newer versions of the software do not contain the vulnerability.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to “to remotely execute code on the affected device”. ICS-CERT notes that neither Hospira or Richards have demonstrated the code execution outcome, but it includes the possibility out of an abundance of caution.
In addition to updating to newer versions of the software, ICS-CERT recommends the following mitigation measures for these devices:
• Ensure that unused ports are closed on the affected devices to include Port 20/FTP, Port 21/FTP, and Port 23/TELNET.
• Ensure that the default password used to access Port 8443 has been changed, or verify that the port is closed.
• Closing Port 5000/TCP does not impact the intended use of the device.
• Monitor and log all network traffic attempting to reach the affected products, to include Port 20/FTP, Port 21/FTP, Port 23/TELNET, Port 8443, and Port 5000/TCP.
• Isolate all medical devices from the Internet and untrusted systems.
• Produce a hash of key files to identify any unauthorized changes.
Hospira’s infusion pump web site contains two cybersecurity links for previously identified infusion pump vulnerabilities. It does not, however, mention this newly discovered vulnerability.
This advisory describes an authorization bypass vulnerability in the CAREL PlantVisor application. The vulnerability was reported by Maxim Rupp. CAREL will not be fixing the vulnerability since the devices is no longer supported (replaced by newer product in 2007).
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to gain system access.