Baxter Sigma Spectrum Infusion Pump Vulnerabilities

CISA Medical Advisory released for four vulnerabilities found in four Sigma Spectrum and two Baxter Spectrum product lines

Threat ID:: CC-4175
Threat Severity:: Low
Published:: 23 September 2022 4:17 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CISA Medical Advisory released for four vulnerabilities found in four Sigma Spectrum and two Baxter Spectrum product lines

Affected platforms

The following platforms are known to be affected:

Sigma Spectrum v6.x model 35700BAX
Sigma Spectrum v8.x model 35700BAX2
Baxter Spectrum IQ (v9.x) model 35700BAX3
Sigma Spectrum LVP v6.x Wireless Battery Modules v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
Sigma Spectrum LVP v8.x Wireless Battery Modules v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
Baxter Spectrum IQ LVP (v9.x) with Wireless Battery Modules v22D19 to v22D28

Threat details

Introduction

Baxter has released details of multiple vulnerabilities affecting their Sigma Spectrum and Baxter Spectrum Infusion system products. A remote, unauthenticated attacker could exploit some or all of these vulnerabilities to obtain sensitive data, perform a man-in-the-middle attack, or cause a denial-of-service condition.

Vulnerabilities

Successful exploitation of these vulnerabilities could result in access to sensitive data and alteration of system configuration.

CVE-2022-26390 - CWE-311 - MISSING ENCRYPTION OF SENSITIVE DATA

The Baxter Spectrum WBM (v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D19 to v22D28) stores network credentials and patient health information (PHI) in unencrypted form. PHI is only stored in Spectrum IQ pumps using auto programming. An attacker with physical access to a device without all data and settings erased may be able to extract sensitive information. A CVSS v3 base score of 4.2 has been calculated.

CVE-2022-26392 - CWE-134 - USE OF EXTERNALLY CONTROLLED FORMAT STRING

The Baxter Spectrum WBM (v16, v16D38) and Baxter Spectrum WBM (v17, v17D19, v20D29 to v20D32), when in superuser mode, are susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information. A CVSS v3 base score of 3.1 has been calculated.

CVE-2022-26393 - CWE-134 - USE OF EXTERNALLY CONTROLLED FORMAT STRING

The Baxter Spectrum WBM (v20D29) is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information or cause a denial-of-service condition on the WBM. A CVSS v3 base score of 5.0 has been calculated.

CVE-2022-26394 - CWE-306 - MISSING AUTHENTICATION FOR CRITICAL FUNCTION

The Baxter Spectrum WBM (v16, v16D38, v17, v17D19, v20D29 to v20D32) does not perform mutual authentication with the gateway server host. This could allow an attacker to perform a machine-in-the-middle attack that modifies parameters, making the network connection fail. A CVSS v3 base score of 5.5 has been calculated.

Remediation advice

Affected organisations should review the relevant CISA advisory ICSMA-22-251-01 and the Baxter Product Security Bulletin.

According to Baxter, software updates to disable Telnet and FTP (CVE-2022-26392) are in process. Software updates addressing the format string attack (CVE-2022-26393) are included in WBM version 20D30 and all other WBM versions authentication is already available in Spectrum IQ (CVE-2022-26394).

Instructions to erase all data and settings on WBMs and pumps before decommissioning and transferring to other facilities (CVE-2022-26390) are in process for incorporation into the Spectrum Operator’s Manual.

Baxter provides recommended steps for erasing all data and settings on the pump to be decommissioned:

Reset the network settings (Biomed->Network Configuration->Transfer Network Settings->Reset).
Delete the drug library.
Clear the history log.

To erase all data and settings on the WBM to be decommissioned:

Select a pump other than the one last used with the WBM.
Reset the network settings and enable networking on the pump.
Place the WBM on the pump.
Wait until the network icon turns yellow.

In conjunction with the user’s own network security policies, Baxter recommends the following mitigations to reduce the likelihood these vulnerabilities will be exploited:

Ensure appropriate physical controls within user environments to protect against unauthorised access to devices.
Isolate the Spectrum Infusion Systems to its own network virtual local area network (VLAN) to segregate the system from other hospital systems and reduce the probability that a threat actor could execute an adjacent attack, such as a machine-in-the-middle attack against the system to observe clear-text communications.
Use the strongest available wireless network security protocols (WPA2, EAP-TLS, etc.) to provide authentication/encryption of wireless data sent to/from the Spectrum Infusion System.
Users should ensure the WBM is rebooted after configuration for their network(s) by removing the WBM from the rear of the Spectrum device for 10-15 seconds, and then re-attaching the WBM.
Users should always monitor for and/or block unexpected traffic, such as FTP and Telnet, at network boundaries into the Spectrum-specific VLAN.

As a last resort, users may disable wireless operation of the pump; the Spectrum Infusion System was designed to operate without network access. This action would impact an organisation’s ability to rapidly deploy drug library (formulary) updates to their pumps.

CISA recommends users take defensive measures to minimise the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:

Minimise network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognising VPNs may have vulnerabilities and should be updated to the most current version available. Also recognise VPN is only as secure as its connected devices.

CISA reminds organisations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2022-26390

The Baxter Spectrum Wireless Battery Module (WBM) stores network credentials and PHI (only applicable to Spectrum IQ pumps using auto programming) in unencrypted form. An attacker with physical access to a device that hasn't had all data and settings erased may be able to extract sensitive information.

Status Published

CVE-2022-26392

The Baxter Spectrum WBM (v16, v16D38) and Baxter Spectrum WBM (v17, v17D19, v20D29 to v20D32) when in superuser mode is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information.

Status Published

CVE-2022-26393

The Baxter Spectrum WBM is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information or cause a Denial of Service (DoS) on the WBM.

Status Published

CVE-2022-26394

The Baxter Spectrum WBM does not perform mutual authentication with the gateway server host. This may allow an attacker to perform a man in the middle attack that modifies parameters making the network connection fail.

Last edited: 23 September 2022 4:18 pm