This morning the DHS ICS-CERT published two advisories for
control systems from Hospira and CAREL.
Hospira Advisory
This advisory
describes a buffer overflow vulnerability in two older versions of Hospira infusion
pumps. The vulnerability was reported by Jeremy Richards of SAINT Corporation.
Existing newer versions of the software do not contain the vulnerability.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit the vulnerability to “to remotely execute code on the affected
device”. ICS-CERT notes that neither Hospira or Richards have demonstrated the
code execution outcome, but it includes the possibility out of an abundance of
caution.
In addition to updating to newer versions of the software,
ICS-CERT recommends the following mitigation measures for these devices:
• Ensure that unused ports are
closed on the affected devices to include Port 20/FTP, Port 21/FTP, and Port
23/TELNET.
• Ensure that the default password
used to access Port 8443 has been changed, or verify that the port is closed.
• Closing Port 5000/TCP does not
impact the intended use of the device.
• Monitor and log all network
traffic attempting to reach the affected products, to include Port 20/FTP, Port
21/FTP, Port 23/TELNET, Port 8443, and Port 5000/TCP.
• Isolate all medical devices from
the Internet and untrusted systems.
• Produce a hash of key files to identify any
unauthorized changes.
Hospira’s infusion
pump web site contains two cybersecurity links for previously identified
infusion pump vulnerabilities. It does not, however, mention this newly
discovered vulnerability.
CAREL Advisory
This advisory describes
an authorization bypass vulnerability in the CAREL PlantVisor application. The
vulnerability was reported by Maxim Rupp. CAREL will not be fixing the
vulnerability since the devices is no longer supported (replaced by newer
product in 2007).
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability to gain system access.
Posts
No comments:
Post a Comment