10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.042 Low
EPSS
Percentile
92.3%
This updated advisory is a follow-up to the updated advisory titled ICSA-15-125-01A Hospira LifeCare PCA Infusion System Vulnerabilities that was published May 13, 2015, on the NCCIC/ICS-CERT web site.
Independent researcher Billy Rios has identified vulnerabilities in Hospira’s LifeCare PCA Infusion System, which ICS-CERT has been coordinating with Hospira since May 2014. Kyle Kamke of Ramparts, LLC has independently identified an uncontrolled resource consumption vulnerability in Hospira’s Symbiq Infusion System. Hospira has not validated that this vulnerability exists on the LifeCare PCA System.
ICS-CERT has become aware of publicly disclosed vulnerabilities in the LifeCare Infusion System, which have been validated by Hospira. ICS-CERT is reporting on these additional vulnerabilities identified by “tech” to provide notice, so that asset owners and operators can take additional defensive measures to mitigate risks associated with these vulnerabilities.
Hospira has developed a new version of the LifeCare PCA Infusion System and has stated that this new version will mitigate these vulnerabilities. Hospira has submitted a premarket 510(k) submission of the new LifeCare PCA Infusion System to the U.S. Food and Drug Administration (FDA), and this submission is currently under review. The release of the new system will be dependent on the clearance of Hospira’s 510(k).
These vulnerabilities could be exploited remotely. Exploits that target some of these vulnerabilities are known to be publicly available.
The following Hospira products are affected:
Successful exploitation of these vulnerabilities, in a worst case scenario, may allow an attacker to impact the core functions of the device.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
Hospira is a US-based company that maintains offices in several countries around the world.
The affected product, the LifeCare PCA Infusion System, is an intravenous pump that delivers medication to patients. The affected products are deployed across the Healthcare and Public Health Sector. Hospira estimates that these products are primarily used in the US and Canada.
The researcher has evaluated the device and asserts that the device contains a buffer overflow vulnerability that could be exploited to allow execution of arbitrary code on the device. This vulnerability has not been validated by Hospira; however, acting out of an abundance of caution, ICS-CERT is including this information to enhance healthcare providers’ awareness, so that additional monitoring and controls can be applied.
CVE-2015-3955NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3955, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 7.6 has been assigned; the CVSS vector string is (AV:N/AC:H/Au:N/C:C/I:C/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:H/Au:N/C:C/I:C/A:C, web site last accessed June 10, 2015.
The LifeCare PCA Infusion pump’s communication module gives unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user may be able to issue commands to modify the wireless configuration of the pump.
CVE-2015-3459NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3459, web site last accessed May 13, 2015. has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C, web site last accessed May 13, 2015.
The LifeCare PCA Infusion pump could have drug libraries, software updates, and configuration changes uploaded to it from an unauthorized source. The LifeCare PCA Infusion pump listens on the following ports: Port 20/FTP, Port 23/TELNET, Port 80/HTTP, Port 443/HTTPS, and Port 5000/UPNP.
CVE-2014-5406NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5406, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 7.6 has been assigned; the CVSS vector string is (AV:N/AC:H/Au:N/C:C/I:C/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:H/Au:N/C:C/I:C/A:C, web site last accessed June 10, 2015.
Hardcoded accounts may be used to access the device.
CVE-2015-1011NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1011, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C, web site last accessed May 13, 2015.
Wireless keys are stored in plain text on Version 5 of the LifeCare PCA Infusion System. According to Hospira, Version 3 of the LifeCare PCA Infusion System is not indicated for wireless use, is not shipped with wireless capabilities, and should not be modified to be used in a wireless capacity in a clinical setting.
CVE-2015-1012NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1012, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 6.4 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:P/I:P/A:N).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:N, web site last accessed May 13, 2015.
Private keys and certificates are stored on the device.
CVE-2015-3957NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3957, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 4.6 has been assigned; the CVSS vector string is (AV:L/AC:L/Au:N/C:P/I:P/A:P).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:L/AC:L/Au:N/C:P/I:P/A:P, web site last accessed June 10, 2015.
The web server is reportedly running vulnerable versions of AppWeb, to include Version 1.0.2, which contain numerous vulnerabilities. This vulnerability impacts LifeCare PCA Infusion Systems Version 5, prior to Version 5.07. According to Hospira, Version 3 of the LifeCare PCA Infusion System does not have wireless capability and, therefore, does not use the vulnerable versions of AppWeb.
The device is susceptible to a denial of service condition as a result of an overflow of TCP packets, which requires the device to be manually rebooted. This vulnerability has not been validated by Hospira; however, acting out of an abundance of caution, ICS-CERT is including this information to enhance healthcare providers’ awareness, so that additional monitoring and controls can be applied.
CVE-2015-3958NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3958, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C, web site last accessed June 10, 2015.
All but one of these vulnerabilities could be exploited remotely.
Exploits that target some of these vulnerabilities are known to be publicly available.
An attacker with low skill would be able to exploit all but two of these vulnerabilities; the remaining vulnerabilities would require high skill to exploit.
ICS-CERT has been working with Hospira since May 2014 to address the vulnerabilities in the LifeCare PCA Infusion System. Hospira has developed a new version of the PCS Infusion System, Version 7.0 that addresses the identified vulnerabilities. According to Hospira, Version 7.0 has Port 20/FTP and Port 23/TELNET closed by default to prevent unauthorized access.
Hospira has developed a new version of the LifeCare PCA Infusion System and has stated that this new version will mitigate these vulnerabilities. Specifically, the new version is intended to:
Existing PCA Infusion Systems running Version 5.0 can be upgraded to Version 7.0 when it becomes available. Hospira will be retiring older versions of the LifeCare PCA Infusion System, Versions 2 and Versions 3, by the end of the year, 2015.
Hospira’s premarket 510(k) submission for the new LifeCare PCA Infusion System (Version 7.0) is currently being reviewed by the FDA. The release of the new system will be dependent on the clearance of Hospira’s 510(k).
For additional information about Hospira’s upcoming release, contact Hospira’s technical support at 1-800-241-4002.
ICS-CERT strongly encourages asset owners to perform a risk assessment by examining their specific clinical use of the LifeCare PCA Infusion System in their host environment to identify any potential impacts of the identified vulnerabilities. ICS-CERT offers the following compensating options:
ICS-CERT encourages asset owners to implement the following defensive measures to protect against this and other cybersecurity risks. Specifically, users should:
ICS-CERT also provides a section for security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Hospira%20LifeCare%20PCA%20Infusion%20System%20Vulnerabilities%20%28Update%20B%29+https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01b
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01b&title=Hospira%20LifeCare%20PCA%20Infusion%20System%20Vulnerabilities%20%28Update%20B%29
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01b
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01b
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Hospira%20LifeCare%20PCA%20Infusion%20System%20Vulnerabilities%20%28Update%20B%29&body=www.cisa.gov/news-events/ics-advisories/icsa-15-125-01b
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.042 Low
EPSS
Percentile
92.3%