Critical Flaw Identified in BD Alaris Plus Medical Syringe Pumps

A critical remotely exploitable flaw has been detected in BD Alaris Plus medical syringe pumps. The flaw would enable a threat actor to gain access to an affected medical syringe pump when it is connected to a terminal server via the serial port. If the flaw is exploited a threat actor could alter the intended function of the pump.

The flaw is an improper authentication vulnerability. The software fails to perform authentication for functionality that requires a provable user identity.

The flaw was identified by Elad Luz of CyberMDX who notified Becton, Dickinson and Company (BD), which in turn voluntarily reported the vulnerability to the National Cybersecurity & Communications Integration Center and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The latter issued an advisory about the vulnerability on August 23, 2018.

The vulnerability affects version 2.3.6 of Alaris Plus medical syringe pumps and prior versions, specifically the Alaris GS, Alaris GH, Alaris CC, and Alaris TIVA products. The vulnerability has been assigned a CVSS v3 score of 9.4 out of 10 and is being tracked as CVE-2018-147.

BD has explained that the vulnerability does not affect any products that are sold in the United States. All current versions of Alaris Plus pumps do not have the vulnerability. Vulnerable devices were previously sold in the European Union.

The vulnerability cannot be exploited while the device is connected to the Alaris Gateway Workstation docking station as the remote-control feature is disabled when the device is connected to the docking station.

If the device is not switched on it cannot be turned on remotely. BD also notes that were the flaw to be exploited access to PII or PHI could not be gained.

BD has explained that an attack utilizes a known vulnerability in terminal servers. Use of the device with terminal servers is not supported. To reduce the potential for the flaw to be exploited, all users have been advised to operate the affected pumps as stand-alone devices or alternatively they should be used in a segmented network environment.

The ICS-CERT advisory claims the vulnerability would only require a low level of skill to exploit, although according to BD, “To execute this attack one would need to ensure the affected device is connected to a terminal server via the serial port, have an understanding of the device communication protocol, have access to specific driver software to implement the pump protocol communication and the ability to penetrate a customer network and gain unauthorized access to terminal server devices.”

Because of the sequence of events required to exploit the vulnerability, BD said “the probability of an unauthorized breach in network security that impacts the delivery of a patient’s IV infusion is negligible.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.