Posted by Mike Ahmadi on March 29, 2016
Back in my Codenomicon days security researcher Billy Rios and I began looking at software running on medical devices using our Appcheck product (now known as Synopsys Protecode SC). We were hoping to find a few software vulnerabilities to determine how effective our product was at finding such bugs. Once we began investigating we were quite taken aback by how many vulnerabilities were present on the medical devices. We typically saw bugs numbering in the two digit range on the low side, and into the thousands on the high side. Wow!
It occurred to me that the processes in place to address medical device security issues, both from the industry standpoint and the regulatory standpoint, were perhaps in need of some serious soul searching in order to address this runaway issue. One product we tested had over 1600 vulnerabilities and when graphed over time we determined that nearly one new vulnerability was affecting it per day.
I sent the CareFusion Pyxis SupplyStation results with over 1400 vulnerabilities to the FDA as a reminder that a bit more urgency was perhaps in order. They sent the report to DHS ICS-CERT, and this began a process between me, ICS-CERT, and CareFusion (now owned by BD). The person I worked with directly at BD was Rob Suarez, who I had worked with (briefly) while he was with another medical device vendor. What struck me about working with Rob and his team at BD is that they did not deny any of the vulnerabilities existed, and also offered up all affected systems (6 total), voluntarily for use in the advisory.
Here is the official advisory from ICS-CERT.
In summary, there are six affected CareFusion products, with a total of 1418 vulnerabilities present in seven different third-party vendor software packages. Here is the breakdown:
VULNERABLE THIRD-PARTY SOFTWARE VERSIONS
Version 8.1.3 of the Pyxis SupplyStation system, last updated around April 2010, was tested and determined to contain 1,418 vulnerabilities that are present in 7 different third-party vendor software packages, spread across 86 different files. The breakdown of the 1,418 vulnerabilities by CVSS score is as follows:
• 715 vulnerabilities were identified as having a CVSS base score of 7.0-10.0,
• 606 vulnerabilities were identified as having a CVSS base score of 4.0-6.9, and
• 97 vulnerabilities were identified as having a CVSS base score of 0-3.9.
Third-party software components for these legacy versions of the Pyxis SupplyStation are:
• BMC Appsight 5.7,
• SAP Crystal Reports 8.5,
• Flexera Software Installshield,
• Microsoft Windows XP,
• Sybase SQL Anywhere 9,
• Symantec Antivirus 9, and
• Symantec pcAnywhere 10.5.
These vulnerabilities could be exploited remotely.
EXISTENCE OF EXPLOIT
Exploits that target these vulnerabilities are publicly available.
An attacker with low skill would be able to exploit many of these vulnerabilities.
It is important to note here that the issues are in the third-party packages, which we have been preaching about for the last several years. Up to 90% of the software used in development today is third-party.
In closing, I want to stress that BD was very cooperative, and wishes to continue collaborating with us and other security research organizations.
Kudos to Rob Suarez and the BD team, and to Billy Rios for his great work with Synopsys!