8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.327 Low
EPSS
Percentile
97.0%
This updated advisory is a follow-up to the original advisory titled ICSMA-17-250-02 Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump Vulnerabilities that was published September 7, 2017, on the NCCIC/ICS-CERT web site.
Independent researcher Scott Gayou has identified eight vulnerabilities in Smiths Medicalβs Medfusion 4000 Wireless Syringe Infusion Pump.
--------- Begin Update A Part 1 of 3 --------
Smiths Medical has released a patch to address these vulnerabilities. ICS-CERT is recommending that users apply the identified compensating controls until the new version can be applied.
--------- End Update A Part 1 of 3 --------
These vulnerabilities could be exploited remotely.
The following Medfusion 4000 Wireless Syringe Infusion Pump versions are affected:
Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.
Smiths Medical is headquartered in Plymouth, Minnesota, and is a subsidiary of Smiths Group plc, which is a UK-based company.
The affected products, Medfusion 4000 Wireless Syringe Infusion Pumps, are syringe infusion pumps used to deliver small doses of medication in acute care settings. According to Smiths Medical, Medfusion 4000 Wireless Syringe Infusion Pumps are deployed across the Healthcare and Public Health sector. Smiths Medical estimates these products are used worldwide.
A third-party component used in the pump does not verify input buffer size prior to copying, leading to a buffer overflow, allowing remote code execution on the target device. The pump receives the potentially malicious input infrequently and under certain conditions, increasing the difficulty of exploitation.
CVE-2017-12718NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12718, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, web site last accessed September 7, 2017.
A third-party component used in the pump reads memory out of bounds, causing the communications module to crash. Smiths Medical assesses that the crash of the communications module would not impact the operation of the therapeutic module.
CVE-2017-12722 . NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12722, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). . CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, web site last accessed September 7, 2017.
The pump with default network configuration uses hard-coded credentials to automatically establish a wireless network connection. The pump will establish a wireless network connection even if the pump is Ethernet connected and active; however, if the wireless association is established and the Ethernet cable is attached, the pump does not attach the network stack to the wireless network. In this scenario, all network traffic is instead directed over the wired Ethernet connection.
CVE-2017-12725NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12725 , NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, web site last accessed September 7, 2017.
The FTP server on the pump does not require authentication if the pump is configured to allow FTP connections.
CVE-2017-12720NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12720, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, web site last accessed September 7, 2017.
The FTP server on the pump contains hardcoded credentials, which are not fully initialized. The FTP server is only accessible if the pump is configured to allow FTP connections.
CVE-2017-12724NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12724, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, web site last accessed September 7, 2017.
Telnet on the pump uses hardcoded credentials, which can be used if the pump is configured to allow external communications. Smiths Medical assesses that it is not possible to upload files via Telnet and the impact of this vulnerability is limited to the communications module.
CVE-2017-12726NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12726, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v3 base score of 5.6 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L, web site last accessed September 7, 2017.
The pump does not validate host certificate, leaving the pump vulnerable to a man-in-the-middle (MITM) attack.
CVE-2017-12721NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12721, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, web site last accessed September 7, 2017.
The pump stores some passwords in the configuration file, which are accessible if the pump is configured to allow external communications.
CVE-2017-12723NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12723, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, web site last accessed September 7, 2017.
These vulnerabilities could be exploited remotely.
No known public exploits specifically target these vulnerabilities.
An attacker with high skill would be able to exploit these vulnerabilities.
--------- Begin Update A Part 2 of 3 --------
Smiths Medical has released update Version 1.6.1 to mitigate the vulnerabilities in the Medfusion 4000 Wireless Syringe Infusion Pump.
--------- End Update A Part 2 of 3 --------
Smiths Medical recommends users apply the following defensive measures:
--------- Begin Update A Part 3 of 3 --------
For additional information about the vulnerabilities, proposed measures, or obtaining the product fix, contact Smiths Medical Technical Support at:
Tel: +1 (800) 258 5361 or +01 614 210 7300
Online: <https://smiths-medical.custhelp.com/>
Email: [email protected]
--------- End Update A Part 3 of 3 --------
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment by examining their specific clinical use of the pump in the host environment. ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users:
ICS-CERT also provides a section for security recommended practices on the ICS-CERT web page at http://ics-cert.us-cert.gov/content/recommended-practices.
Additional mitigation guidance and recommended practices are publicly available in the ICSβCERT Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
smiths-medical.custhelp.com/
twitter.com/CISAgov
twitter.com/intent/tweet?text=Smiths%20Medical%20Medfusion%204000%20Wireless%20Syringe%20Infusion%20Pump%20Vulnerabilities%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-250-02a
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-250-02a&title=Smiths%20Medical%20Medfusion%204000%20Wireless%20Syringe%20Infusion%20Pump%20Vulnerabilities%20%28Update%20A%29
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-250-02a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-250-02a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Smiths%20Medical%20Medfusion%204000%20Wireless%20Syringe%20Infusion%20Pump%20Vulnerabilities%20%28Update%20A%29&body=www.cisa.gov/news-events/ics-medical-advisories/icsma-17-250-02a
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.327 Low
EPSS
Percentile
97.0%