Rapid7 discovers four vulnerabilities
Rapid7 on April 20, 2022 found vulnerabilities in two TCP/IP enabled medical devices found by Baxter Healthcare. The four vulnerabilities impacted the company's SIGMA Spectrum Infusion Pump and SIGMA Wifi battery.
After five months when Rapid7 reported the issue to Baxter, the organizations are now disclosing they have collaborated to discuss the effect, solution, and a team strategy for these flaws.
InfoSecurity reports: all these vulnerabilities have now reportedly been fixed, but in the new disclosure report, Heiland clarified that even before the patches were released, the issues could not have been exploited over the internet or at a great distance.
About the vulnerability
Rapid7 has covered the findings in a recent report, where the firm mentioned Sigma bugs were found by Deral Heiland, Rapid7’s main IoT (Internet of Things) expert.
To give readers a general idea, Baxter’s SIGMA infusion pumps are generally used by hospitals to give medicine and nutrition directly into a patient's circulatory system.
The first vulnerability (known as CVE–2022–26390) discovered by Rapid7 made the pump to send the WiFi credentials to the battery unit when it was connected to the primary infusion pump and the infusion pump got power.
The second vulnerability (known as CVE–2022–26392), on the contrary, observed the exposure of the command 'hostmassage' to format string vulnerability while executing a telnet session on the Baxter SIGMA WiFi battery firmware version 16.
The third vulnerability (known as CVE–2022–26393) is also a format string vulnerability on WiFi battery software version 20 D29.
The last and fourth vulnerability (known as CVE–2022–26394) observed WiFi battery units (versions 16, 17 and 20 D29) enabling remote unauthorised modification of the SIGMA GW IP address (used in configuration of back-end communication services for devices' working).
How does the attack take place?
The threat actor has to be within atleast WiFi range of the impacted devices, and in few instances, he will need to have a direct physical access.
But if the hacker gets a network access to the pump unit, with a single unauthorised packet, he can make the unit to redirect all back-end system to a host they control, making a scope for for a possible man in the middle (MiTM) attack.
Rapid7 reports:
This could impact the accuracy of the pump data being sent for monitoring and recording purposes, and also potentially be used to intercept Drug library data updates to the pumps — which could potentially be dangerous."