Vulnerability Identified in BD Alaris Infusion Products

A medium severity vulnerability has been identified in the BD Alaris PC Unit, which is vulnerable to a denial of service attack which would cause it to drop its wireless capability.

The vulnerability was identified by Medigate and was reported to BD. BD subsequently reported the flaw under its responsible disclosure policy and has provided mitigations and compensating controls to help users manage the risks associated with the flaw until an updated version of BD Alaris PC Unit software is released.

The flaw affects the following BD products:

  • BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier
  • BD Alaris Systems Manager, Versions 4.33 and earlier

The issue is due to improper authentication between vulnerable versions of the BD Alaris PC Unit and the BD Alaris Systems Manager. While the vulnerability can be exploited remotely, an attacker would need to first gain access to the network associated with the vulnerable devices, which limits the potential for exploitation. The vulnerability has been assigned a CVSS score of 6.5 out of 10.

Once access to the network is gained, an attacker could redirect the BD Alaris PC Unit’s authentication requests using custom code and complete an authentication handshake based on information extracted from the authentication requests.

Such an attack would not stop the Alaris PC Unit from functioning as programmed; however, network services would no longer be available, such as pre-populating the Alaris PC Unit with infusion parameters through EMR Interoperability or performing wireless updates of Alaris System Guardrails (DERS). An attacker would not be able to gain the necessary permissions to remotely program commands, and protected health information could not be accessed as it is encrypted. In a successful attack, the operator of the BD Alaris PC would have to manually program the pump, download data logs, or activate the new data set.

BD has already performed server upgrades which correct the vulnerability in many Systems Manager installations, with the flaw addressed in BD Alaris Systems Manager versions 12.0.1, 12.0.2, 12.1.0, and 12.1.2. The vulnerability will be corrected in the upcoming new version of BD Alaris PC Unit software.

Users can reduce the potential for exploitation by enabling the firewall on the Systems Manager server image and implementing rules restricting inbound and outbound ports services restrictions.

“If a firewall is integrated between the server network segment and its wireless network segments, implement a firewall rule with an access control list (ACL) that restricts access to the wireless network segment via the specific MAC address of the wireless card on the pump. This would restrict access to the wireless segment to only authorized devices and not allow other devices to connect and authenticate to the segment,” explained BD in its security bulletin.

Since BD Alaris Systems Manager is a critical service, it should ideally operate on a secure network protected by a firewall. Unnecessary accounts, protocols and services should be disabled.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.