Rapid 7 researchers found four vulnerabilities in Baxter and Sigma Spectrum infusion pumps. These devices are employed to supply patients with medications and nutrition. These TCP/IP enabled-devices are typically linked to healthcare networks. Vulnerabilities can be exploited allowing malicious actors to change system configuration and gain access to patient’s sensitive information.
After finding the vulnerabilities about 5 months ago, Rapid 7 reported them to Baxter. Rapid 7 is cooperating with Baxter to deal with the low- and medium-severity vulnerabilities. A report about the vulnerabilities was recently published.
The vulnerabilities impacted the Baxter and Sigma Spectrum infusion pumps found below:
- Baxter Spectrum IQ (v9.x) model 35700BAX3
- Sigma Spectrum v6.x model 35700BAX
- Sigma Spectrum v8.x model 35700BAX2
- Baxter Spectrum IQ LVP (v9.x) with Wireless Battery Modules v22D19 to v22D28
- Sigma Spectrum LVP v6.x Wireless Battery Modules v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
- Sigma Spectrum LVP v8.x Wireless Battery Modules v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
The Baxter Spectrum WBM (v16, v16D38, v17, v17D19, v20D29 to v20D32) doesn’t execute mutual authentication using the gateway server host. When exploiting this vulnerability in a machine-in-the-middle attack, the device parameters can be altered which would result in the failure of network connection. The medium severity vulnerability is monitored as CVE-2022-26394 and has an assigned CVSS v3 severity rating of 5.5. There is now an authentication available in Spectrum IQ that fixes the vulnerability.
The Baxter Spectrum WBM (v20D29) is vulnerable to format string attacks by means of app messaging. When an attacker exploits the vulnerability, it’s possible to read the WBM memory and gain access to sensitive data. The vulnerability can likewise be exploited to cause the WBM a denial-of-service condition. The medium severity vulnerability is monitored as CVE-2022-26393 with an assigned CVSS v3 severity rating of 5.0. The vulnerability has an available fix now in WBM version 20D30.
The researchers found out that system credentials and the protected health information (PHI) of patients aren’t encrypted in the Baxter Spectrum wireless battery modules. PHI is just stored in the Spectrum IQ pumps utilizing auto programming. In case an attacker gets physical access to a vulnerable device, without removing all information and settings enables the extraction of extract sensitive data. This medium severity vulnerability is monitored as CVE-2022-26390 with an assigned CVSS v3 severity score of 4.2. Baxter mentioned it is including instructions in the Spectrum Operator’s Manual about how to remove all information and settings on WBMs and pumps prior to decommissioning and moving the devices to another facility. The instructions can also be found in the CISA ICS Medical Advisory.
When in superuser mode, the Baxter Spectrum WBM (v16, v16D38, v17, v17D19, v20D29 to v20D32) are vulnerable to format string attacks through app messaging allowing an attacker to read the WBM memory and get access to sensitive data. This low severity vulnerability is monitored as CVE-2022-26392 with an assigned CVSS v3 severity score of 3.1. To fix the vulnerability, software updates for deactivating the FTP and Telnet are in process.