Until a new version of Smiths Medical's Medfusion 4000 Wireless Syringe Infusion Pump is issued in January 2018, its operators should be wary of eight vulnerabilities that can be remotely exploited to gain access to the device and compromise its functionality.
Health care professionals use the pump in acute care facilities to deliver small doses of medication to patients from a variety of syringe sizes.
Crediting independent researcher Scott Gayou with the bugs' discovery, the ICS-CERT reported in an advisory last week that attackers "with high skill" can leverage the flaws to sabotage the pump's communications module and therapeutic module, despite the segmented design of the device.
Found in versions 1.1, 1.5, and 1.6 of the pump, the flaws consist of a buffer overflow in a third-party component (CVE-2017-12718), an out-of-bounds read in a third-party component (CVE-2017-12722), the use of hard-coded credentials in the FTP server (CVE-2017-12724) and while automatically establishing a wireless network connection (CVE-2017-12725), improper access control in the pump's FTP server (CVE-2017-12720), use of a hard-coded password by Telnet (CVE-2017-12726), improper certificate validation that can enable a man-in-the-middle attack (CVE-2017-12721), and the storage of accessible passwords within the configuration file (CVE-2017-12723).
The ICS-CERT, which operates within the Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC), and Plymouth, Minn.-based Smiths Medical have recommended several defensive measures to protect against the threat of an exploit until the new product version 1.6.1 of the pump is released. All of these recommendations are listed within the advisory.