Smiths-Medical Medfusion 4000 Wireless Syringe Infusion Pump Vulnerabilities

The devices, which are commonly used in critical care, has had 5 of the 8 vulnerabilities given a Common Vulnerability Scoring System (CVSS) score of over 8, which indicates that many pose a high-severity risk.

The vulnerabilities include:

• CVE-2017-12725 – the pump with default network configuration uses hard-coded credentials to establish a wireless network connection, even if the pump is connected via ethernet and active.
• CVE-2017-12718 – allows Remote Code Execution (RCE) on the target device under certain conditions and causes a buffer overflow.
• CVE-2017-12720 – the FTP server on the pump does not require any authentication if configured to allow FTP connections.
• CVE-2017-12724 – the FTP server on the pump contains hard coded credentials. The FTP server is only accessible if the pump is configured to allow FTP connections.
• CVE-2017-12721 – The pump does not validate the host certificate, leaving it vulnerable to Man-in-the-Middle (MitM) attacks.
• CVE-2017-12726 – Hardcoded credentials for Telnet and the impact is limited to the communications module.
• CVE-2017-12723 – Passwords are stored in the configuration file which is accessible if the pump is configured to allow external communications.
• CVE-2017-12722 – A third-party component in the pump reads memory out of bounds and can cause the communications module to crash. The manufacturer has assessed that this would not impact the operation of the therapeutic module.