Share this article on:
Two vulnerabilities have been identified in certain Becton Dickinson (BD) infusion pumps. One of the vulnerabilities is rated critical and has been given the maximum CVSS v3 score of 10 out of 10.
BD has a history of proactively searching for vulnerabilities, addressing cybersecurity issues, and communicating details of the vulnerabilities in a timely fashion. BD voluntarily disclosed the two vulnerabilities in recent security bulletins and shared details of the flaws with information Sharing and Analysis Organizations (ISAOs). In this instance, the vulnerabilities were discovered by Elad Luz of CyberMDX and reported to BD. The Department of Homeland Security’s Industrial Control System Computer Emergency Response Team (ICS-CERT) has also issued a security advisory about the flaws.
Both flaws affect BD Alaris™ Gateway Workstations, but not any gateway workstations that are sold or used in the United States. The affected devices are used in around 50 countries, mostly in Europe in Germany, Spain, the Netherlands, and the United Kingdom. The vulnerability affects fewer than 3,000 devices in each country, and have fewer than 1,000 affected devices. The flaws affect older firmware versions. The latest versions of the firmware – 1.3.2 and 1.6.1 – are not affected.
No reports have been received to suggest the vulnerabilities have been exploited in the wild, but due to the seriousness of the flaws, affected users are advised to upgrade to the latest version of the firmware and take the recommended steps to mitigate the vulnerabilities.
Information Exposure Vulnerability – High Severity
An improper access control vulnerability has been identified that could be exploited on a vulnerable Gateway Workstation that is used in its standalone configuration. If an attacker discovered the IP address of the workstation terminal it would be possible to gain access to the web user interface and gain read-only access to information such as monitoring, configuration, event logs and the user guide. The vulnerability is being tracked as CVE-2019-10962 and has been assigned a CVSS v3 base score of 7.3 out of 10 – high severity.
Vulnerable versions are:
- 1.3 Build 10
- 1.3 MR Build 11
Unrestricted Upload of Unauthorized Firmware – Critical Severity
A critical vulnerability has been identified that could be exploited by an attacker to upload unauthorized firmware to a compromised device. If successfully exploited an attacker could gain control of the device and its functions, including the infusion rate, dosage, and could even stop infusions entirely. It would also be possible to silence devices to prevent any alerts from being generated.
According to ICS-CERT, “Exploitation of these vulnerabilities could allow unauthorized arbitrary code execution, which could allow an attacker to view and edit device status and configuration details as well as cause devices to become unavailable.”
The flaw is tracked as CVE-2019-10959 and has been assigned a CVSS v3 base score of 10 out of 10 – Critical severity.
Exploitation of the flaw would require access to first be gained to the hospital network. A vulnerable device would need to be located, and the attacker would need to have intimate knowledge of the product. An attacker would also need to be able to update and manipulate a CAB file.
A custom file would need to be developed that could run in a CE environment, an attacker would need to correctly use the internal communications protocols and create a specific installer for the manipulated CAB file and set it to run the program. The complicated nature of the attack and knowledge and skill required make this a difficult vulnerability to exploit.
The Dangerous file upload vulnerability affects the following firmware versions
- 1.3 Build 10
- 1.3 MR Build 11
- 3.0 Build 14
- 3.1 Build 13
And the following products if running software version 2.3.6
- Alaris GS
- Alaris GH
- Alaris CC
- Alaris TIVA
The information disclosure can be fully mitigated by updating to the latest firmware version. BD recommends also restricting access to devices and isolating their network from untrusted systems.
The dangerous file upload vulnerability can be addressed by updating to the latest firmware version. If this is not possible, BD will be issuing a patch within 60 days.
BD also recommends blocking SMB protocol, segregating the VLAN network, the use of access controls and restricting the number of associates who have access to the customer network.