September 28, 2022
Multiple security vulnerabilities have been disclosed in Baxter's internet-connected infusion pumps used by healthcare professionals in clinical environments to dispense medication to patients. "Successful exploitation of these vulnerabilities could result in access to sensitive data and alteration of system configuration," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a coordinated advisory. Infusion pumps…

Multiple security vulnerabilities have been disclosed in Baxter’s internet-connected infusion pumps used by healthcare professionals in clinical environments to dispense medication to patients.

“Successful exploitation of these vulnerabilities could result in access to sensitive data and alteration of system configuration,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a coordinated advisory.

Infusion pumps are internet-enabled devices used by hospitals to deliver medication and nutrition directly into a patient’s circulatory system.

The four vulnerabilities in question, discovered by cybersecurity firm Rapid7 and reported to Baxter in April 2022, affect the following Sigma Spectrum Infusion systems –

  • Sigma Spectrum v6.x model 35700BAX
  • Sigma Spectrum v8.x model 35700BAX2
  • Baxter Spectrum IQ (v9.x) model 35700BAX3
  • Sigma Spectrum LVP v6.x Wireless Battery Modules v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
  • Sigma Spectrum LVP v8.x Wireless Battery Modules v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
  • Baxter Spectrum IQ LVP (v9.x) with Wireless Battery Modules v22D19 to v22D28

The list of flaws uncovered is below –

  • CVE-2022-26390 (CVSS score: 4.2) – Storage of network credentials and patient health information (PHI) in unencrypted format
  • CVE-2022-26392 (CVSS score: 2.1) – A format string vulnerability when running a Telnet session
  • CVE-2022-26393 (CVSS score: 5.0) – A format string vulnerability when processing Wi-Fi SSID information, and
  • CVE-2022-26394 (CVSS score: 5.5) – Missing mutual authentication with the gateway server host

Successful exploitation of the above vulnerabilities could cause a remote denial-of-service (DoS), or enable an attacker with physical access to the device to extract sensitive information or alternatively carry out adversary-in-the-middle attacks.

The vulnerabilities could further result in a “loss of critical Wi-Fi password data, which could lead to greater network access should the network not be properly segmented,” Deral Heiland, principal security researcher for IoT at Rapid7, told The Hacker News.

Baxter, in an advisory, emphasized that the issues only affect customers who use the wireless capabilities of the Spectrum Infusion System, but also cautioned it could lead to a delay or interruption of therapy should the flaws be weaponized.

“If exploited, the vulnerabilities could result in disruption of [Wireless Battery Module] operation, disconnection of the WBM from the wireless network, alteration of the WBM’s configuration, or exposure of data stored on the WBM,” the company said.

The latest findings are yet another indication of how common software vulnerabilities continue to plague the medical industry, a concerning development given their potential implications affecting patient care.

That said, this is not the first time security flaws in infusion pumps have come under the scanner. Earlier this March, Palo Alto Networks Unit 42 disclosed that an overwhelming majority of infusion pumps were exposed to nearly 40 known vulnerabilities, highlighting the need to secure healthcare systems from security threats.

Baxter is recommending customers to ensure that all data and settings are erased from decommissioned pumps, place infusion systems behind a firewall, enforce network segmentation, and use strong wireless network security protocols to prevent unauthorized access.

It’s crucial to “implement processes and procedures to manage the de-acquisition of medical technology, [and] to assure that PII and/or configuration data such as Wi-Fi, WPA, PSK, etc., are purged from the devices prior to resale or transfer to another party,” Heiland said.

“Maintain strong physical security within and around medical areas containing MedTech devices, as well as areas with access to a biomed network. Implement network segmentation for all biomed networks to prevent other general or business networks from communicating with MedTech devices.”

Source