CISA Warn Health Sector Of Baxter Sigma Infusion Pump Vulnerabilities

The United States Cybersecurity and Infrastructure Agency had issued a medical advisory to the healthcare sector reagrdign four vulnerabilities within the Sigma and Baxter Spectrum Infusion Pumps, a device typically used to provide medications and nutrition to patients. The vulnerabillties within the fusion pumps were identified by IoT researchers at Rapid 7, a well-known security solution provider. The issues were then reported to Baxter who are currently working with the security solution provider to resolve the vulnerabilities. 

The versions of the device with vulnerabtilies include the Sigma Spectrum v6.x model 35700BAX, Sigma Spectrum v8.x model 35700BAX2, Baxter Spectrum IQ (v9.x) model 35700BAX3, Sigma Spectrum LVP v6.x Wireless Battery Modules v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28, Sigma Spectrum LVP v8.x Wireless Battery Modules v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28, Baxter Spectrum IQ LVP (v9.x) with Wireless Battery Modules v22D19 to v22D28. 

The first flaw identified by Rapid 7 relates to a missing encryption of sensitive information. The Baxter Spectrum WBM v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D19 to v22D28 contains network passwords, usernames and PHI in encrypted form. The PHI is only stored in the devices using auto programming. An attacker with physical access to a device without all data and settings erased may be able to extract sensitive information. The second device relates to the device’s use of externally controlled format string. When in superuser mode, the Baxter Spectrum WBM (v16, v16D38) and Baxter Spectrum WBM (v17, v17D19, v20D29 to v20D32) are vulnerable to format string attacks through application messaging. This could be used by an attacker to read memory from the device and get access to sensitive information. A similar vulnerability has been identifiers in the Baxter Spectrum v20D29. However, while the attacker can gain access in the same way through application messaging, the attacker can also cause a denial-of-service condition on this version of the device. The final vulnerability is found in the v16, v16D38, v17, v17D19, v20D29 to v20D32 versions of the Baxter Spectrum WBM. These versions operate without requiring mutual authentication with the gateway server host. Threat actors who utilize this flaw can perform a machine-in-the-middle attack that alters parameters, causing the network connection to fail. 

Baxter has confirmed that they are working on updates to the device’s software to address the vulnerabilities. However, Baxter advises users of the infusion pumps to delete all data and settings on devices that have been decommissioned by resetting the network settings, erase its drug library, and clear its history log. Baxter also recommends a multitude of actions to reduce the likelihood of the flaws being exploited. These include ensuring pyhsical controls within user environmenrs are protected against unauthorized access, utilizing the strongest available wireless network security protocols, ensuring the devices are rebooted following configuration for their networks, and to monitor for and prevent unexpected activities within the devices.