Baxter SIGMA Spectrum Infusion System Vulnerabilities

CVEs (1)

Remediations

• Baxter offers the following recommendations to help mitigate risks associated with these vulnerabilities in the SIGMA Spectrum Infusion System running Version 6.05 with WBM Version 16
• Ensure that the WI-FI network supporting WBMs is secured using a secure WI-FI protocol
• Separate the network supporting the WBMs with a standalone VLAN or use similarly segmented network topography to isolate WBMs. This would require an attacker to compromise the standalone WI-FI network or otherwise gain access to the supporting VLAN before SSH access to the WBM is possible
• Configure Wireless Access Points and Firewalls, which provide access to the VLAN, to block Port 21/FTP and Port 22/SSH
• Ensure that network authentication credentials used by the WBM to connect to the network are properly restricted to only allow access to the wireless network
• As a last resort, customers may disable wireless operation of the pump. The Sigma Spectrum Infusion System was designed to operate without network access. This action would impact an organization’s ability to rapidly deploy drug library (formulary) updates to their pumps
• Baxter states that it has implemented a process to continually evaluate cybersecurity risks and has defined a roadmap to mitigate vulnerabilities
• Baxter has released a new version of the SIGMA Spectrum Infusion System, Version 8, which incorporates hardware and software changes that do not contain three of the four identified vulnerabilities
• In Version 8, Baxter has addressed the authentication bypass issue by removing the SSH service from the WBM
• The new version addresses the clear text storage of sensitive information through modifications to the commands used to expose network and WI-FI credentials on the WBM
• Security key information is now masked or otherwise removed from command outputs
• Furthermore, the path to gain access to these commands is closed, as the SSH service has been removed
• In Version 8, Baxter has addressed the FTP hard-coded password vulnerability by removing the FTP service from the WBM
• Baxter has engaged an independent security expert to confirm that Version 8 does not contain the three remotely exploitable vulnerabilities
• Baxter has performed a cybersecurity risk analysis and has evaluated the potential impact of the hard-coded password to access the device as being low
• Baxter plans to address this in a future release
• Baxter recommends that facilities employ physical security controls to ensure the safety of the pump and WBM
• For additional information about the vulnerabilities, compensating measures, or the new version of the SIGMA Spectrum Infusion System, contact Baxter Technical Support at: 1-800-843-7867 or via email at: [email protected].

Affected Vendors

Affected Products (1)