Researchers at Rapid 7 have identified four vulnerabilities in Baxter and Sigma Spectrum infusion pumps, which are used to deliver medications and nutrition to patients. The devices are TCP/IP enabled and are usually connected to healthcare networks. Successful exploitation of the vulnerabilities could allow malicious actors to make system configuration changes and access sensitive patient data.
The vulnerabilities were discovered around 5 months ago and were reported to Baxter. Rapid 7 has been working with Baxter to resolve the medium- and low-severity vulnerabilities and recently published a report on the flaws.
The flaws affected the following Baxter and Sigma Spectrum infusion pumps.
- Sigma Spectrum v6.x model 35700BAX
- Sigma Spectrum v8.x model 35700BAX2
- Baxter Spectrum IQ (v9.x) model 35700BAX3
- Sigma Spectrum LVP v6.x Wireless Battery Modules v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
- Sigma Spectrum LVP v8.x Wireless Battery Modules v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
- Baxter Spectrum IQ LVP (v9.x) with Wireless Battery Modules v22D19 to v22D28
The Baxter Spectrum WBM (v16, v16D38, v17, v17D19, v20D29 to v20D32) does not perform mutual authentication with the gateway server host. This flaw could be exploited in a machine-in-the-middle attack, which would allow the device parameters to be changed which would cause the network connection to fail. The vulnerability is tracked as CVE-2022-26394 and has a CVSS v3 severity score of 5.5 (medium severity). Authentication is already available in Spectrum IQ which resolves the vulnerability.
The Baxter Spectrum WBM (v20D29) is susceptible to format string attacks via application messaging. If the flaw is exploited an attacker could read memory in the WBM and access sensitive information. The flaw could also be exploited to cause a denial-of-service condition on the WBM. The vulnerability is tracked as CVE-2022-26393 and has a CVSS v3 severity score of 5.0 (medium severity). The vulnerability has been addressed in WBM version 20D30.
The researchers discovered that network credentials and patients’ protected health information (PHI) are not encrypted in the Baxter Spectrum wireless battery modules. PHI is only stored in Spectrum IQ pumps using auto programming. If an attacker has physical access to a vulnerable device, without all data and settings erased it would be possible to extract sensitive information. The vulnerability is tracked as CVE-2022-26390 and has a CVSS v3 severity score of 4.2 (medium severity). Baxter said it is adding instructions to the Spectrum Operator’s Manual on how to erase all data and settings on WBMs and pumps before decommissioning and transferring the devices to other facilities. The instructions are also detailed in the CISA ICS Medical Advisory.
In superuser mode, the Baxter Spectrum WBM (v16, v16D38) and Baxter Spectrum WBM (v17, v17D19, v20D29 to v20D32) are susceptible to format string attacks via application messaging, which could allow an attacker to read memory in the WBM and access sensitive information. The vulnerability is tracked as CVE-2022-26392 and has a CVSS v3 severity score of 3.1 (low severity). Software updates to disable Telnet and FTP to resolve the vulnerability are in process.
The post 4 Vulnerabilities Identified in Baxter & Sigma Spectrum Infusion Pumps appeared first on HIPAA Journal.