ICSMA-22-251-01 · Published 2022-09-29 · View on CISA ICS-CERT ↗

Baxter Sigma Spectrum Infusion Pump (Update A)

CVSS 7.5 HIGH

Risk Summary

Successful exploitation of these vulnerabilities could result in access to sensitive data and alteration of system configuration.

CVEs (4)

CVE-2022-26390 CVE-2022-26392 CVE-2022-26393 CVE-2022-26394

Remediations

According to Baxter, software updates to disable Telnet and FTP (CVE-2022-26392) are in process. Software updates addressing the format string attack (CVE-2022-26393) are included in WBM version 20D30 and all other WBM versions authentication is already available in Spectrum IQ (CVE-2022-26394). Instructions to erase all data and settings on WBMs and pumps before decommissioning and transferring to other facilities (CVE-2022-26390) are in process for incorporation into the Spectrum Operator's Manual.
Baxter provides recommended steps for erasing all data and settings on the pump to be decommissioned: Reset the network settings (Biomed->Network Configuration->Transfer Network Settings->Reset). Delete the drug library. Clear the history log.
To erase all data and settings on the WBM to be decommissioned: Select a pump other than the one last used with the WBM. Reset the network settings and enable networking on the pump. Place the WBM on the pump. Wait until the network icon turns yellow.
Ensure appropriate physical controls within user environments to protect against unauthorized access to devices.
Isolate the Spectrum Infusion Systems to its own network virtual local area network (VLAN) to segregate the system from other hospital systems and reduce the probability that a threat actor could execute an adjacent attack, such as a machine-in-the-middle attack against the system to observe clear-text communications.
Use the strongest available wireless network security protocols (WPA2, EAP-TLS, etc.) to provide authentication/encryption of wireless data sent to/from the Spectrum Infusion System.
Users should ensure the WBM is rebooted after configuration for their network(s) by removing the WBM from the rear of the Spectrum device for 10-15 seconds, and then re-attaching the WBM.
Users should always monitor for and/or block unexpected traffic, such as FTP and Telnet, at network boundaries into the Spectrum-specific VLAN.
As a last resort, users may disable wireless operation of the pump; the Spectrum Infusion System was designed to operate without network access. This action would impact an organization’s ability to rapidly deploy drug library (formulary) updates to their pumps.
For additional information, see the Baxter Product Security Bulletin.

Affected Vendors

Baxter

Affected Products (6)

Baxter · Baxter Spectrum IQ 9.x model 35700BAX3

Baxter · Baxter Spectrum IQ LVP 9.x (with Wireless Battery Modules >= 22D19 | <= v22D28)

Baxter · Sigma Spectrum 8.x model 35700BAX2

Baxter · Sigma Spectrum 6.x model 35700BAX

Baxter · Sigma Spectrum LVP 8.x (Wireless Battery Modules v17 | v17D19 >= 20D29 | <= 20D32 | >= 22D24 | <= 22D28)

Baxter · Sigma Spectrum LVP 6.x (Wireless Battery Modules (16 | 16D38 | 17 | 17D19 | >= 20D29 | <= v20D32 | >= 22D24 | <= v22D28)

Affected Sectors

Healthcare and Public Health

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more