Today the DHS ICS-CERT updated an advisory issued last month
for Hospira infusion pump and published a new advisory for similar problems in
a newer line of Hospira pumps.
Hospira Update
This is one of the most extensive updates I have seen since
I have been watching ICS-CERT advisories with 9 separate changes being made.
The changes include adding a new researcher (Kyle Kamke of Ramparts, LLC),
an impact update, four new vulnerabilities, updating the exploitability rating,
modifying the attacker skill level, and adding two new mitigation measures.
The new vulnerabilities are:
∙ Stack-based buffer overflow - CVE-2015-3955;
∙ Insufficient verification of data authenticity - CVE-2014-5406;
∙ Key management error- CVE-2015-3957;
and
∙ Uncontrolled
resource consumption - CVE-2015-3958
ICS-CERT is now reporting that a relatively low skilled
attacker could remotely exploit most of these vulnerabilities which may allow
the attacker to impact the core functions of the device.
Hospira Advisory
This advisory is a
near duplicate of the updated advisory reported above. The only significant
difference is that it is for a newer generation of Hospira Infusion Pumps.
Hospira is releasing a new version of the infusion pump system that mitigates
these vulnerabilities, but there is no indication that Rios has been given the
opportunity to verify the efficacy of the fix.
Other Information
The FDA advisory that
was reported at the time of the last Hospira update has not been changed to
reflect the new vulnerabilities or the new equipment. In fact, the link on that
advisory still takes one to the old ICS-CERT advisory, which is no longer
available. This is not an unusual problem when government agencies provide
links to other agency web sites; very little inter-silo communication.
Billy Rios has an interesting
blog post about the whole Hospira fiasco from his perspective as the
researcher who has been working the issue for over a year now.
Posts
No comments:
Post a Comment