Skip to main content

Baxter Sigma Spectrum Infusion Pump Vulnerabilities

CISA Medical Advisory released for six vulnerabilities found in two Sigma Spectrum and four Baxter Spectrum product lines

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

CISA Medical Advisory released for six vulnerabilities found in two Sigma Spectrum and four Baxter Spectrum product lines


Affected platforms

The following platforms are known to be affected:

  • Sigma Spectrum v6.x model 35700BAX 
  • Baxter Spectrum v8.x model 35700BAX2 
  • Baxter Spectrum v9.x model 35700BAX3 
  • Sigma Spectrum LVP v6.x with Wireless Battery Modules v9, v11, v13, v14, v15, v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28 
  • Baxter Spectrum LVP v8.x with Wireless Battery Modules v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28 
  • Baxter Spectrum LVP v9.x with Wireless Battery Module v22D19 to v22D28 

Threat details

Introduction

Baxter has released details of multiple vulnerabilities affecting their Sigma Spectrum Infusion Pump system products. A remote, unauthenticated attacker could exploit some or all of these vulnerabilities to obtain sensitive data, alter device configurations, perform a man-in-the-middle attack, or cause denial-of-service conditions. 

Vulnerabilities

Successful exploitation of these vulnerabilities could result in access to sensitive data, alteration of system configuration, and impact to system availability. 

  • CVE-2020-12039 - CWE-259 - Sigma Spectrum Infusion System and Baxter Spectrum Infusion System contain hard-coded passwords which, when physically entered on the keypad, provide access to biomedical menus that include device settings, view of calibration values, and network configuration of the Sigma Spectrum Wireless Battery Module (WBM) if installed.  A CVSS v3 base score of 4.3 has been calculated.
  • CVE-2020-12040 - CWE-319 - Sigma Spectrum Infusion System and Baxter Spectrum Infusion System at the application layer use an unauthenticated clear-text communication channel to send and receive system status and operational data. This could allow an attacker that has circumvented network security measures to view sensitive non-private data or to perform a man-in-the-middle attack. A CVSS v3 base score of 7.3 has been calculated.
  • CVE-2020-12041 - CWE-732 - The Baxter Spectrum WBM Telnet Command-Line Interface grants access to sensitive data stored on the WBM that permits temporary configuration changes to network settings of the WBM. This access allows the WBM to be rebooted. Temporary configuration changes to network settings are removed upon reboot. A CVSS v3 base score of 8.6 has been calculated.
  • CVE-2020-12043 - CWE-672 - When configured for wireless networking, the Baxter Spectrum WBM enables FTP service operating on the WBM to remain operational until the WBM is rebooted. A CVSS v3 base score of 7.3 has been calculated.
  • CVE-2020-12045 - CWE-259 - The Baxter Spectrum WBM operates a Telnet service with hard-coded credentials when connected to specific SSIDs.    A CVSS v3 base score of 8.6 has been calculated.
  • CVE-2020-12047 - CWE-259 - The factor-default wireless configuration of the Baxter Spectrum WBM enables File Transfer Protocol (FTP) service with hard-coded credentials. . A CVSS v3 base score of 7.3 has been calculated.

Threat updates

Date Update
20 Sep 2022 Updated information

Cyber alert updated to reflect 4 additional affected product lines, changes to vulnerability descriptions, and alteration of remediation to include the recommendation to use the strongest available wireless network security protocols (e.g., WPA2, EAP-TLS, etc.) to provide authentication and encryption of wireless data sent to and from the Spectrum Infusion System. 


Remediation advice

Affected organisations should review the relevant CISA advisory ICSMA-20-170-04 and the Baxter Product Security Bulletin

Baxter recommends: 

  • ensuring appropriate physical controls within user environments to protect against unauthorised access to devices.  
  • isolating the Spectrum Infusion Systems to its own network VLAN to segregate the system from other hospital systems, and reduce the probability that a threat actor could execute an adjacent attack such as a MiTM attack against the system to observe clear-text communications. 
  • using the strongest available wireless network security protocols (e.g., WPA2, EAP-TLS, etc.) to provide authentication and encryption of wireless data sent to and from the Spectrum Infusion System. 
  • ensuring the WBM is rebooted after configuration for their network(s) by removing the WBM from the rear of the Spectrum device for 10-15 seconds, and then re-attaching the WBM.  
  • Users should always monitor for and/or block unexpected traffic, such as FTP, at network boundaries into the Spectrum-specific VLAN. 
  • As a last resort, users may disable wireless operation of the pump. The Spectrum Infusion System was designed to operate without network access. This action would impact an organisation’s ability to rapidly deploy drug library (formulary) updates to their pumps. 
  • For additional information please see the Baxter Product Security Bulletin

CISA recommends users take defensive measures to minimise the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimise network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognising VPNs may have vulnerabilities and should be updated to the most current version available. Also recognise VPN is only as secure as its connected devices.


CVE Vulnerabilities

Last edited: 20 September 2022 3:07 pm