Alaris™ Gateway Workstation Web Browser User Interface Lack of Authentication
BD has established a routine practice of seeking, communicating, and addressing cybersecurity issues in products in a timely fashion. Voluntary vulnerability disclosure is an essential component to BD’s approach to transparency by enabling customers to properly manage risk through awareness and guidance.
This notification provides product security information and recommendations related to a security vulnerability found within specified versions of Alaris™ Gateway Workstation. The contents of this notification will be disclosed publicly on the BD Product Security website (http://www.bd.com/productsecurity) and is voluntary reported by BD to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the National Health Information Sharing and Analysis Center (NH-ISAC).
This notification applies to the Alaris™ Gateway Workstation products:
This product is not sold or used in the United States, and there have been no reported exploits of this vulnerability.
This does not impact the latest firmware version 1.3.2 nor version 1.6.1.
BD has been made aware of a potential vulnerability that can impact Web Browser User Interface on the Alaris™ Gateway Workstation, standalone configuration only. If exploited, this vulnerability may allow an attacker with knowledge of the IP address of the Alaris Gateway Workstation terminal to gain access to the following information on the Web Browser User Interface:
Additionally, an attack may be able to change the Workstation’s network configuration and restart the Workstation.
Pages under configuration include:
Select information may also be viewed as plain text through the portal.xml interface.
CyberMDX, a security vendor, originally made BD aware of this vulnerability to the Alaris™ Gateway Workstation.
This vulnerability does not have a direct impact on any mounted infusion pump functionality or performance as this is a web-based application utilized for only the aggregation of data.
BD has conducted internal risk assessments for this vulnerability and has also collaborated with the U.S. Department of Homeland Security (DHS) and independent security researchers to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within an organization that uses the Alaris™ Gateway Workstation.
7.3 (High) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Rationale: A malicious attacker would need to gain access to the hospital’s internal network (at minimum, acquiring an IP on the subnet) for this attack to be successful. For this reason, we anticipate the attacker to have elevated privileges, however the Web Browser User Interface does not require authentication and therefore privileges are not required. A successful attack would involve compromise of system integrity, due to the risk of modification of network settings, and system/data availability, if an attacker pushes the Workstation into a reboot cycle. Pump information, such as model information and software version, is not deemed to be sensitive data, however data confidentiality is impacted as status, logging, network and configuration information are viewable and offer the ability to modify parameters.
BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability:
Last BD Publication Update: 06/13/2019
Original BD Publication Date: 06/13/2019
For more information on BD’s proactive approach to product security and vulnerability management, contact our Product Security Office: http://www.bd.com/productsecurity
Product Security Bulletin for Alaris™ Gateway Workstation
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.
Franklin Lakes, NJ
© 2019 BD