Today the DHS ICS-CERT updated the advisory for the Hospira
LifeCare PCA Infusion System that was originally
issued last week. The update adds new vulnerabilities and mitigation
information. Meanwhile the FDA has issued a Safety Communication on the same
device.
ICS-CERT Update
The ICS-CERT update notes it has become aware of “additional
publicly disclosed vulnerabilities in the LifeCare Infusion System”. ICS-CERT credits these reporting of these
vulnerabilities to ‘tech’ apparently from the OXTECH Security blog that I
mentioned in my post on the original advisory. Those vulnerabilities are:
∙ Use of hardcoded passwords - CVE-2015-1011;
∙ Clear text storage of sensitive information - CVE-2015-1012;
and
∙ Vulnerable software version used –
No CVE provided
The vulnerable software is a reference to vulnerable
versions of AppWeb that were used by Hospira. The advisory notes that this
software is known to contain numerous vulnerabilities. A listing of the CVE’s (at
least) would have been helpful.
While the new version of the Hospira software is undergoing
FDA review, this update provides additional mitigation measures that can be
undertaken.
FDA Advisory
In what looks to be a cybersecurity first for the FDA, they
have published an FDA
Safety Communication about the same vulnerabilities. In fact, the FDA
publication specifically references today’s ICS-CERT update for technical
information about the vulnerability and mitigation measures.
An interesting component of the FDA advisory is the
inclusion of a reference to voluntary reporting through MedWatch, the FDA
Safety Information and Adverse Event Reporting program. They specifically ask
medical providers experiencing the problems reported in this advisory to report
the incidents. This would help the FDA track and report actual exploits to the
medical community. ICS-CERT might want to consider establishing the same type
of reporting program for exploits of reported ICS vulnerabilities.
Missing Warnings
One critical thing that appears to be missing from both of
these advisories is a mention of the fact reported by ‘tech’ that access to the
clear text WPA keys on the device could provide an attacker with access to the
medical network to which these devices are connected. The OXTECH blog post
makes it clear that even after these devices are removed from service, the
presence of these keys will remain a potential threat to the networks until
that memory is wiped or the machines are physically destroyed.
Posts
No comments:
Post a Comment