Alaris™ Gateway Workstation Unauthorized Firmware
BD has established a routine practice of seeking, communicating, and addressing cybersecurity issues in products in a timely fashion. Voluntary vulnerability disclosure is an essential component to BD’s approach to transparency by enabling customers to properly manage risk through awareness and guidance.
This notification provides product security information and recommendations related to a security vulnerability found within specified versions of Alaris™ Gateway Workstation. The contents of this notification will be disclosed publicly on the BD Product Security website ( http://www.bd.com/productsecurity) and is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the National Health Information Sharing and Analysis Center (NH-ISAC).
This notification applies to the Alaris™ Gateway Workstation, with the following versions only:
This product is not sold or used in the United States, and there have been no reported exploits of this vulnerability. This does not impact the latest firmware version 1.3.2 nor version 1.6.1. The Alaris™ Gateway Workstation is intended to be used to provide mounting, power and communications support to the Alaris® Infusion Pumps range within the operating environment specified in the Directions For Use (DFU).
Additionally, this notification may apply to the following products, with software version 2.3.6 and below:
Note: Only software versions for 2.3.6 and below are impacted. Software version 2.3.6 was released in 2006. These pumps were previously sold under the Asena brand. This does not apply to Alaris™ Medley devices. None of these products are sold in the United States.
BD has been made aware of a potential vulnerability that can impact the Alaris™ Gateway Workstation (Workstation). If exploited, this vulnerability may allow an attacker with malicious intention to remotely install unauthorized firmware. In order to access this vulnerability, an attacker would need to gain access to a hospital network, have intimate knowledge of the product, be able to update and manipulate a CAB file, which stores files in an archived library and utilizes a proper format for Windows CE. If an attacker is able to complete those steps, they may also utilize this vulnerability to change the scope to adjust commands on the infusion pump, including adjust the infusion rate on specific mounted infusion pumps, listed above.
In addition to the steps above, to exploit the vulnerability on the Workstation, an attacker would need to create an executable with custom code that can run in the Windows CE environment, understand how the internal communication protocols are utilized within the product and create a specific installer for the CAB file, with settings required to run the program. Adjusting the change in scope is difficult to exploit.
CyberMDX, a security vendor, originally made BD aware of this vulnerability to the Alaris™ Gateway Workstation.
BD has assessed the change in scope to this vulnerability for clinical impact and concluded that although the probability of remotely exploiting the vulnerability to the Workstation and then creating a custom, executable code that impacts the delivery of a patient's IV infusion is theoretically possible, the probability of patient harm is unlikely to occur due to the sequence of events that must occur in a specific order by a highly trained attacker. BD has had zero reports of this issue occurring from any customer sites.
BD has conducted internal risk assessments for this vulnerability and has also collaborated with the U.S. Department of Homeland Security (DHS), and independent security researchers to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within an organization that uses products covered in this disclosure.
10.0 (Critical) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
Rationale: A successful attack can be conducted over the network. A malicious attacker must first gain access to the hospital's internal network (at minimum, acquiring an IP on the subnet). The Alaris Gateway Workstation does not require authentication and therefore privileges are not required. While complexity exists for CAB file modification, this vulnerability for attack complexity is ranked as low due to lack of authentication for an attacker to exploit this vulnerability. The scope can change to affect only specific mounted infusion pumps outside the perimeter of the Workstation. High impacts to system and data integrity and availability exist as complete or partial disabling of the gateway is possible. Alaris Gateway Workstation information, such as model information and software version, is not deemed to be sensitive data however dosage rate and drug name are stored in memory in the Worksation; thus data confidentiality is low.
To ensure the remediation, which removes accessibility to the SMB network share, has been successful, the validation period has been extended to the second week of September 2019. Once approved, customers will be able to request the patch on the BD Customer Portal.
BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability:
BD has created a remediation which removes accessibility to the SMB network share. Further details, including implementation of the remediation, will be provided within 60 days of this original update.
Last BD Publication Update: 09/3/2019
Original BD Publication Date: 06/13/2019
For more information on BD’s proactive approach to product security and vulnerability management, contact our Product Security Office: http://www.bd.com/productsecurity
Product Security Bulletin for Alaris™ Gateway Workstation
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.
Franklin Lakes, NJ
© 2019 BD