ICS-CERT Publishes 4 Advisories

Today the DHS ICS-CERT published two medical device security advisories for products from Smiths Medical and i-SENS. They also published to control system security advisories for products from PHOENIX CONTACT and SpiderControl.

Smiths Medical Advisory

This advisory describes eight vulnerabilities in the Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump. The vulnerabilities were reported by Scott Gayou. Smiths Medical is developing a new product version to mitigate the vulnerabilities; compensating controls have been developed.

The eight reported vulnerabilities are:

• Buffer copy without checking size of input - CVE-2017-12718;

• Out-of-bounds read - CVE-2017-12722;

• Use of hard-coded credentials - CVE-2017-12725, CVE-2017-12724;

• Improper access control - CVE-2017-12720;

• Use of hard-coded password - CVE-2017-12726;

• Improper certificate validation - CVE-2017-12721; and

• Password in configuration file - CVE-2017-12723

ICS-CERT reports that an uncharacterized attacker could remotely exploit the vulnerabilities to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.

No FDA safety communication has been released on these vulnerabilities.

i-SENS Advisory

This advisory describes an uncontrolled search path element vulnerability in the i-SENS SmartLog Diabetes Management Software. The vulnerability was reported by Mark Cross. i-SENS has produced a new version that mitigates the vulnerability. ICS-CERT reports that Cross has been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that an authorized user with local access could exploit the vulnerability to execute arbitrary code on the target system.

PHOENIX CONTACT Advisory

This advisory describes a null pointer deference vulnerability in the PHOENIX CONTACT mGuard firmware. This vulnerability was self-reported. PHOENIX CONTACT has produced a firmware version that mitigates the vulnerability.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to cause a remote denial of service and force a restart of all IPSec connections.

SpiderControl Advisory

This advisory describes an improper privilege management vulnerability in the SpiderControl SCADA Web Server. The vulnerability was reported by Karn Ganeshen. SpiderControl has produced a new version that mitigates the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker with authorized access could exploit the vulnerability to escalate their privileges under certain conditions.