Medical Device Security Vulnerabilities Discovered in Baxter Infusion Pumps

September 09, 2022 - Four medical device security vulnerabilities are impacting certain Sigma and Baxter Spectrum infusion pumps, a Cybersecurity and Infrastructure Security Agency (CISA) explained in an advisory. Rapid7’s principal IoT researcher informed Baxter of the vulnerabilities.

If exploited, the vulnerabilities could result in alteration of system configuration and improper access to sensitive data, CISA stated. Most of the vulnerabilities are exploitable remotely and have a high attack complexity.

The following devices may be impacted by the four vulnerabilities:

• Sigma Spectrum v6.x model 35700BAX
• Sigma Spectrum v8.x model 35700BAX2
• Baxter Spectrum IQ (v9.x) model 35700BAX3
• Sigma Spectrum LVP v6.x Wireless Battery Modules v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
• Sigma Spectrum LVP v8.x Wireless Battery Modules v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
• Baxter Spectrum IQ LVP (v9.x) with Wireless Battery Modules v22D19 to v22D28

The highest-severity vulnerability, with a CVSS score of 5.5, impacts certain versions of the Baxter Spectrum Wireless Battery Modules (WBM). Researchers discovered that the device does not perform mutual authentication with the gateway server host, which could allow an attacker to perform a machine-in-the-middle attack. Through this attack, a hacker could modify parameters and make the network connection fail.

Another vulnerability affecting the Baxter Spectrum WBM (v20D29) involves the use of an externally controlled format string and received a CVSS score of 5.0.

The device “is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information or cause a denial-of-service condition on the WBM,” the advisory explained.

One of the other disclosed vulnerabilities, with a CVSS score of 3.1, also involves the use of an externally controlled format string, but impacts the Baxter Spectrum WBM (v16, v16D38) and Baxter Spectrum WBM (v17, v17D19, v20D29 to v20D32).

When in “superuser mode,” the devices impacted by this vulnerability are similarly susceptible to format string attacks via application messaging. Leveraging this vulnerability, threat actors could read memory in the WBM in order to access sensitive information.

The final vulnerability impacts the Baxter Spectrum WBM (v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D19 to v22D28) and received a CVSS score of 4.2.

This vulnerability requires an attacker to have physical access to a device without all data and settings erased. Since the device stores network credentials and protected health information (PHI) in unencrypted form, an unauthorized party would be able to extract sensitive information.

“According to Baxter, software updates to disable Telnet and FTP (CVE-2022-26392) are in process. Software updates addressing the format string attack (CVE-2022-26393) are included in WBM version 20D30 and all other WBM versions authentication is already available in Spectrum IQ (CVE-2022-26394),” the advisory continued.

“Instructions to erase all data and settings on WBMs and pumps before decommissioning and transferring to other facilities (CVE-2022-26390) are in process for incorporation into the Spectrum Operator’s Manual.”

Baxter recommended that users reset network settings, delete drug libraries, and clear history logs before decommissioning any pumps.

In addition, organizations should ensure that they have employed proper physical controls to prevent unauthorized access and exploitation. Organizations should also isolate the Spectrum Infusion Systems to their own virtual local area network (VLAN) to separate the system from other critical hospital systems.

“As a last resort, users may disable wireless operation of the pump; the Spectrum Infusion System was designed to operate without network access. This action would impact an organization’s ability to rapidly deploy drug library (formulary) updates to their pumps,” the advisory explained.

CISA urged organizations to perform proper impact analysis and risk assessments prior to implementing new security measures.