ICS-CERT Publishes ICS Medical Advisory

This morning the DHS ICS-CERT published their first ‘medical advisory’ for a whole slew (new technical term) of vulnerabilities in older versions of the CareFusion Pyxis SupplyStation. It appears that ICS-CERT is establishing a separate category of advisories for medical devices; the same information just a separate naming-numbering system.

The Advisory

The advisory outlines (saying ‘describes’ would be a gross exaggeration of terminology) over 1400 3^rd-party vulnerabilities in older, unsupported versions of the system still running on Windows Server 2003/XP. The vulnerabilities are categorized based upon their CVSS Base score; CVSS 7.0 – 10.0, 715 vulnerabilities; CVSS 4.0 – 6.9, 606 vulnerabilities; and CVSS 0.0 – 3.9, 97 vulnerabilities.

The vulnerabilities were reported by Billy Rios and Mike Ahmadi in collaboration with CareFusion. The affected systems are at the end of their life and CareFusion does not plan on updating the software. The medical advisory does provide a list of mitigating measures that CareFusion recommends owners of the older devices that remain in use.

Commentary

While a new name and number for these medical device advisories will make it easier for medical-device security-researchers to keep up with advisories that specifically apply to their specialties, ICS-CERT is (for now at least) keeping these advisories listed on the same page as the more traditional control system advisories and alerts. I wonder if we are also going to see a new name for other non-traditional controls systems such as building control systems, security control systems and transportation control systems?

Billy and Mike reportedly used an “automated software composition analysis tool” to identify this huge number of vulnerabilities. I’m assuming that what they did was identify the different software components (see the listing in the medical advisory) and then looked up the vulnerabilities listed for each of the components. Then I would assume that CareFusion confirmed that they had issued no patches for any of the listed vulnerabilities. I wonder if they did the same thing for the various 3^rd-party libraries used by the various components? I do hope that Billy and Mike are planning on doing a presentation on this investigation at one of the conferences this year.

This is, HOPEFULLY, an outlier example of the problem of bundling software systems and then attempting (or not attempting as is apparent in this case) with keeping up with all of the patches and updates for the various programs. This may be an extreme example, but I would be that it is not the only product with this problem, either in the medical device category or any other ICS category for that matter.

As a side note, don’t be too quick to chide the Pyxis owners for still using medical devices base upon the outdated Server 2003/XP products. CareFusion has apparently worked with Microsoft to continue supporting their systems past the normal XP end-of-life. Apparently smaller hospitals and other medical facilities with limited equipment budgets use an equipment utilization model that is not uncommon in more traditional automation environments; if it ain’t broke, don’t mess with it.