CVE-2015-3952 in Plum A+ Infusion System
Summary
by MITRE
Wireless keys are stored in plain text on Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/07/2023
The vulnerability identified as CVE-2015-3952 represents a critical security flaw in medical infusion devices manufactured by Hospira, specifically affecting the Plum A+ Infusion System versions 13.4 and earlier, Plum A+3 Infusion System versions 13.6 and earlier, and the Symbiq Infusion System version 3.13 and earlier. This weakness stems from the improper handling of wireless authentication credentials within the device firmware, where wireless keys are persistently stored in unencrypted plain text format. The exposure of these credentials creates a significant attack surface that could be exploited by unauthorized parties to gain illicit access to medical infusion systems, potentially compromising patient safety and data integrity. The vulnerability is classified under CWE-312 (CWE-312: Cleartext Storage of Sensitive Information) which specifically addresses the insecure storage of sensitive data in plain text format, making it susceptible to unauthorized access through various attack vectors.
The technical implementation of this flaw involves the storage mechanism within the affected medical devices where wireless network authentication credentials are not adequately protected through encryption or other security measures. When these devices are configured to connect to wireless networks for remote management or data transmission purposes, the wireless keys are written to storage locations without proper encryption, allowing any local attacker with access to the device to extract these credentials. This vulnerability is particularly concerning in healthcare environments where medical devices are often connected to hospital networks and may contain sensitive patient information or be directly involved in critical patient care processes. The exposure of wireless credentials could enable attackers to gain unauthorized network access, potentially leading to device manipulation, data exfiltration, or disruption of medical services.
The operational impact of CVE-2015-3952 extends beyond simple credential exposure, as it creates a pathway for adversaries to potentially compromise the entire medical device ecosystem. Attackers who obtain these wireless keys could perform man-in-the-middle attacks, gain persistent access to device management interfaces, or even manipulate infusion rates and other critical parameters through unauthorized remote access. The vulnerability affects multiple device models within the Hospira Plum and Symbiq product lines, indicating a systemic issue with how wireless authentication is handled across these platforms. This weakness could be exploited by attackers with physical access to the devices, network-based attacks, or through supply chain compromises, making it particularly dangerous in environments where medical devices are frequently accessed or where security controls are not properly implemented. The affected systems pose significant risks to patient safety and healthcare data security, as they could be manipulated to deliver incorrect medication dosages or provide unauthorized access to sensitive medical information.
Hospira has provided specific mitigation recommendations to address this vulnerability, including the mandatory closure of ports 20/FTP and 23/TELNET on the affected devices, which are standard network ports used for file transfer and remote terminal access respectively. These port closures help to prevent unauthorized access through traditional network-based attack vectors while the wireless credentials remain exposed. The company has also introduced the Plum 360 Infusion System as a non-vulnerable alternative, indicating that the security measures have been properly implemented in the newer model. Organizations should implement comprehensive network segmentation to isolate these devices from critical network segments, deploy network monitoring solutions to detect unauthorized access attempts, and conduct regular vulnerability assessments to identify similar weaknesses in their medical device inventory. The remediation process requires careful coordination between IT security teams, clinical staff, and device vendors to ensure that security measures are properly implemented without disrupting critical patient care operations. This vulnerability highlights the importance of secure device design principles and the need for robust credential management practices in medical device security, aligning with ATT&CK techniques related to credential access and lateral movement within healthcare environments.