Threat Watch

Medical Infusion Pumps Vulnerable to Old Flaws

Recent analysis of 200,000 network-connected medical infusion pumps shows that 75% are running with known security issues that date back to 2019 and 2020. Out of the 200,000 pumps that were analyzed by Palo Alto, at least 30,000, and potentially up to 100,000, pumps were affected by six flaws that were critical in severity. The most common flaw seen was CVE-2019-12255, a bug that has been known to affect embedded devices that use the VxWorks RTOS, including infusion pumps. More than 52% of the analyzed pumps had been affected by this flaw. The chart below lists the other bugs and their severity score.

Critical-severity bugs in Baxter products and percentage of affected devices identified by Palo Alto Networks IoT Security
 CVESeverity
(Score)
% of analyzed pumps with CVEs
1.CVE-2020-120409.8 (Critical)17.83%
2.CVE-2020-120479.8 (Critical)15.23%
3.CVE-2020-120459.8 (Critical)15.23%
4.CVE-2020-120439.8 (Critical)15.23%
5.CVE-2020-120419.8 (Critical)15.23%

ANALYST NOTES

It is advised that those using these pumps regularly analyze all systems on the network. There are currently no patches for these issues, but there are mitigations. Baxter Healthcare has published the following security bulletin, which provides some workarounds for these vulnerabilities: https://www.baxter.com/sites/g/files/ebysai746/files/2020-06/ICSMA-20-170-04.pdf.
Some hospitals may also need to consider using new or different pumps that are not affected by the flaws.

https://www.bleepingcomputer.com/news/security/over-100-000-medical-infusion-pumps-vulnerable-to-years-old-critical-bug/