Hospira LifeCare PCA Infusion System Vulnerabilities

CVSS 10.0 CRITICAL

CVEs (7)

CVE-2014-5406 CVE-2015-1011 CVE-2015-1012 CVE-2015-3459 CVE-2015-3955 CVE-2015-3957 CVE-2015-3958

ICS-CERT has been working with Hospira since May 2014 to address the vulnerabilities in the LifeCare PCA Infusion System. Hospira has developed a new version of the PCS Infusion System, Version 7.0 that addresses the identified vulnerabilities. According to Hospira, Version 7.0 has Port 20/FTP and Port 23/TELNET closed by default to prevent unauthorized access.
Hospira has developed a new version of the LifeCare PCA Infusion System and has stated that this new version will mitigate these vulnerabilities. Specifically, the new version is intended to: Mitigate unauthorized remote access to the device,Disable the ability for unauthorized changes to the medication library, Remove hard-coded passwords to gain access to the device, Encrypt storage of wireless network keys, and Ensure that the vulnerable versions of AppWeb are no longer used.
Existing PCA Infusion Systems running Version 5.0 can be upgraded to Version 7.0 when it becomes available. Hospira will be retiring older versions of the LifeCare PCA Infusion System, Versions 2 and Versions 3, by the end of the year, 2015.
Hospira’s premarket 510(k) submission for the new LifeCare PCA Infusion System (Version 7.0) is currently being reviewed by the FDA. The release of the new system will be dependent on the clearance of Hospira’s 510(k).
For additional information about Hospira’s upcoming release, contact Hospira’s technical support at 1-800-241-4002.

Hospira

Hospira · LifeCare PCA Infusion System <=5.0

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.