Advisories Issued About Vulnerabilities in Baxter, BD, and BIOTRONIK Medical Devices

Share this article on:

The DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued medical advisories about vulnerabilities in medical devices manufactured by Baxter, Becton, Dickinson and Company (BD), and BIOTRONIK.

The following products are affected:

  • Baxter PrismaFlex (all versions)
  • Baxter PrisMax (all versions prior to 3.x)
  • Baxter ExactaMix EM 2400 (Versions 1.10, 1.11, 1.13, 1.14)
  • Baxter ExactaMix EM 1200 (Versions 1.1, 1.2, 1.4, 1.5)
  • Baxter Phoenix Hemodialysis Delivery System (SW 3.36 and 3.40)
  • Baxter Sigma Spectrum Infusion Pumps (see below)
  • BIOTRONIK CardioMessenger II-S T-Line (T4APP 2.20)
  • BIOTRONIK CardioMessenger II-S GSM (T4APP 2.20)
  • BD Alaris PCU (Versions 9.13, 9.19, 9.33, and 12.1)

Before implementing any defensive measures it is important to conduct an impact analysis and risk assessment.

Baxter PrismaFlex and PrisMax

Three vulnerabilities have been identified in Baxter PrismaFlex and PrisMax systems that could allow an attacker to obtain sensitive data, although network access would first be required.

The vulnerabilities are:

  • CVE-2020-12036 – Cleartext transmission of sensitive information when the system is configured to send treatment data to a Patient Data Management System (PDMS) or EMR system. The vulnerability has been assigned a CVSS v3 base score of 6.5 out of 10.
  • CVE-2020-12035 – Vulnerable devices do not require authentication if configured to send treatment data to a PDMS or EMR system, which could allow an attacker to change treatment status information. The vulnerability has been assigned a CVSS v3 base score of 7.6 out of 10.
  • CVE-2020-12037 – The PrismaFlex device has a hard-coded service password which gives access to biomedical information, device settings, calibration settings, and the network configuration. The vulnerability has been assigned a CVSS v3 base score of 5.4 out of 10.

Users should update to PrismaFlex Versions SW 8.2 and PrisMaxv3 with DCM, limit physical access to devices and apply a defense-in-depth approach to security. It is also important to verify compatibility if the affected devices are used with PDMS or EMR systems.

Baxter ExactaMix

Seven vulnerabilities have been identified in ExactaMix EM2400 and EM1200 systems that could allow access to sensitive data, changes to system configuration, and alteration of system resources, which could impact system availability.

  • CVE-2020-12016 – Use of a hard-coded password could allow an unauthorized individual who has access to system resources to view PHI. The vulnerability has been assigned a CVSS v3 base score of 8.1 out of 10.
  • CVE-2020-12012 – Hard-coded administrative account credentials could allow an individual with physical access to the system to view and update system information, which could compromise system integrity and expose PHI. The vulnerability has been assigned a CVSS v3 base score of 6.8 out of 10.
  • CVE-2020-12008 – The use of cleartext messages to communicate order information with an order entry system could expose PHI. The vulnerability has been assigned a CVSS v3 base score of 7.5 out of 10.
  • CVE-2020-12032 – Device data with sensitive information is stored in an unencrypted database. An attacker with network access could view or change PHI. The vulnerability has been assigned a CVSS v3 base score of 8.1 out of 10.
  • CVE-2020-12024 – An unauthorized individual with physical access could use the USB interface to load and run unauthorized payloads, which could affect the confidentiality of data and integrity of the system. The vulnerability has been assigned a CVSS v3 base score of 6.8 out of 10.
  • CVE-2020-12020 – Non administrative users can gain access to the operating system and edit the application startup script. The vulnerability has been assigned a CVSS v3 base score of 6.1 out of 10.
  • CVE-2017-0143 – An SMBv1 input validation vulnerability could allow a remote attacker to gain unauthorized access to sensitive information, create denial of service conditions, or execute arbitrary code. The vulnerability has been assigned a CVSS v3 base score of 8.1 out of 10.

Users should contact their service support team to discuss upgrading to the ExactaMix Version 1.4 (EM1200) and ExactaMix Version 1.13 (EM2400) compounders.

Baxter Phoenix Hemodialysis Delivery System

Baxter has identified a vulnerability in its Phoenix Hemodialysis Delivery System which could allow an attacker with network access to steal sensitive data as a result of transmission of data in cleartext.

This is due to the system not supporting encryption of treatment and prescription data in transit (TLS/SSL) between the Phoenix system and the Exalis dialysis data management tool. The vulnerability is tracked as CVE-2020-12048 and has been assigned a CVSS v3 base score of 7.5 out of 10.

Baxter recommends employing cybersecurity defense-in-depth strategies such as network segmentation, and placing Phoenix machines and Exalis Server PCs on a dedicated subnetwork. If remote access is required, only allow connections using a VPN, admins should firewall each network segment, limit inbound and outbound connections, and scan for malware and unauthorized network access.

Baxter Sigma Spectrum Infusion Pumps

Baxter has identified six vulnerabilities in the following models of its Sigma Spectrum infusion systems:

  • Sigma Spectrum v6.x model 35700BAX
  • Baxter Spectrum v8.x model 35700BAX2
  • Sigma Spectrum v6.x with Wireless Battery Modules v9, v11, v13, v14, v15, v16, v20D29, v20D30, v20D31, and v22D24
  • Baxter Spectrum v8.x with Wireless Battery Modules v17, v20D29, v20D30, v20D31, and v22D24
  • Baxter Spectrum Wireless Battery Modules v17, v20D29, v20D30, v20D31, and v22D24
  • Baxter Spectrum LVP v8.x with Wireless Battery Modules v17, v20D29, v20D30, v20D31, and v22D24

An attacker exploiting the flaws could obtain sensitive data and change the system configuration, which could affect system availability.

  • CVE-2020-12045 is due to the Baxter Spectrum WBM operating a Telnet service on Port 1023 with hard-coded credentials, when used in conjunction with a Baxter Spectrum v8.x. The vulnerability has been assigned a CVSS v3 base score of 8.6 out of 10.
  • CVE-2020-12041 is due to the Baxter Spectrum WBM telnet Command-Line Interface granting access to sensitive data stored on the WBM that permits temporary configuration changes to network settings of the WBM and allow a WBM reboot. The reboot would remove temporary configuration changes to network settings. The vulnerability has been assigned a CVSS v3 base score of 8.6 out of 10.
  • CVE-2020-12047 is due to the use of hard-coded credentials. The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24), when used with a Baxter Spectrum v8.x (model 35700BAX2) in a factory-default wireless configuration, enables an FTP service with hard-coded credentials. The vulnerability has been assigned a CVSS v3 base score of 7.3 out of 10.
  • CVE-2020-12040 is due to the use of an unauthenticated clear-text communication channel to send and receive system status and operational data. The flaw could be exploited in an MitM attack and could result in circumvention of network security measures and access to sensitive data. The vulnerability has been assigned a CVSS v3 base score of 7.3 out of 10.
  • CVE-2020-12043 affects the Baxter Spectrum WBM and is due to the FTP service operating on the WBM remaining operational until the WBM is rebooted, when configured for wireless networking. The vulnerability has been assigned a CVSS v3 base score of 7.3 out of 10.
  • CVE-2020-12039 is due to the use of hard-coded passwords which could be entered on the keypad to access menus and change the device settings. Physical access would be required to exploit the flaw. The vulnerability has been assigned a CVSS v3 base score of 4.3 out of 10.

Mitigations include controlling physical access to vulnerable devices, operating the devices on a separate VLAN, segregating the system from other hospital systems, and using wireless network security protocols to provide authentication/encryption of wireless data sent to/from the Spectrum Infusion System. It is also recommended that admins should monitor for/block unexpected traffic at network boundaries into the Spectrum-specific VLAN.

BIOTRONIK CardioMessenger II

Five vulnerabilities have been identified in BIOTRONIK CardioMessenger II-S T-Line and II-S GSM (T4APP 2.20) cardiac activity monitors.

Exploitation of the flaws could lead to theft of sensitive data and could allow an attacker to influence communications between the Home Monitoring Unit (HMU) and the Access Point Name (APN) gateway network. In order to exploit the flaws an attacker would need adjacent access.

  • CVE-2019-18246 is due to improper authentication between the affected products and BIOTRONIK Remote Communication infrastructure. The vulnerability has been assigned a CVSS v3 base score of 4.3 out of 10
  • CVE-2019-18248 is due to the products transmitting credentials in plaintext before switching to an encrypted communication channel. The vulnerability has been assigned a CVSS v3 base score of 4.3 out of 10
  • CVE-2019-18252 is a further improper authentication issue, allowing credential reuse for multiple authentication purposes. The vulnerability has been assigned a CVSS v3 base score of 4.3 out of 10
  • CVE-2019-18254 is due to a lack of encryption for sensitive data at rest. The vulnerability has been assigned a CVSS v3 base score of 4.3 out of 10.
  • CVE-2019-18256 is due to the storage of passwords in a recoverable format. The passwords could be used for network authentication and decryption of local data in transit. The vulnerability has been assigned a CVSS v3 base score of 4.6 out of 10

BIOTRONIK has determined the vulnerabilities do not introduce new safety risks and, as such, the company will not be issuing a security update to correct the flaws. The following compensating controls will reduce the risk of exploitation.

These are:

  • Maintain good physical control over home monitoring units.
  • Use only home monitoring units obtained directly from a trusted healthcare provider or a BIOTRONIK representative to ensure integrity of the system.
  • Report any concerning behavior regarding these products to your healthcare provider or a BIOTRONIK representative.

BD Alaris PCUs

A vulnerability has been identified in certain BD Alaris PCUs that could potentially be exploited to trigger a denial of service condition that could affect the wireless functionality of vulnerable devices. The flaw is due to a hard-coded Linux kernel maximum segment size overflow.

The vulnerability only affects the versions 9.13, 9.19, 9.33, and 12.1 of the Alaris PC Unit that have implemented the Linux Kernel v4.4.97 within the Laird Wireless Module WB40N. The vulnerability is tracked as CVE-2019-11479 and has been assigned a CVSSv3 base score of 5.3 out of 10.

BD proactively identified the vulnerability and reported it to CISA. BD recommends using stronger network controls for wireless authentication such as WPA2 protocols, to monitor wireless networks with patient connected devices for possible malicious activity, to operate BD Alaris Systems Manger behind a firewall and to patch regularly, and to separate the BD Alaris PC Unit and BD Alaris Systems Manager with a firewall.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On