Last updated: August 09, 2022
Original Publication: November 12, 2020
This notification is voluntarily reported by BD to the U.S. Department of Homeland Security (DHS) and the U.S. Food and Drug Administration (FDA).
This product security bulletin is not related to the BD Alaris™ System recall notifications issued earlier this year.
This notification provides product security information and recommendations related to a security vulnerability found within specified versions of the BD Alaris™ PC Unit and the BD Alaris™ Systems Manager. For maximum awareness, BD also voluntarily reported the contents of this bulletin to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the DHS Cybersecurity and Infrastructure Security Agency (formerly Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the Health Information Sharing and Analysis Center (H-ISAC).
BD has released the following Alaris™ PC Unit software, which addresses CVE-2020-25165:
BD recommends that customers update to Alaris™ PC Unit versions 12.1.1 or newer, where available based on regulatory authorization. For assistance scheduling the remediation, customers should contact their BD Sales Representative.
This notification applies to the following BD Alaris™ products:
BD has been made aware of a network session vulnerability within the authentication process between specified versions of the BD Alaris™ PC Unit and the BD Alaris™ Systems Manager. If exploited, this vulnerability could allow an unauthorized user to establish a direct networking session between the two products.
BD has received no reports of exploits related to this vulnerability.
In order to exploit this vulnerability an unauthorized user would need access to the customer's wireless network, redirect the BD Alaris™ PC Unit's authentication requests with a custom code, and complete an authentication handshake based on the information extracted from the authentication requests.
If exploited, an unauthorized user could perform a denial of service attack on the BD Alaris™ PC Unit by modifying the configuration headers of data in transit. A denial of service attack could lead to a drop in the wireless capability of the BD Alaris™ PC Unit, resulting in manual operation of the PC Unit.
This vulnerability was reported to BD by security vendor Medigate.
Based on the risk evaluation for this vulnerability, the authentication process between BD Alaris™ PC Unit and Alaris™ Systems Manager is considered a low controlled risk with medium Common Vulnerability Scoring System (CVSS) severity. There is no documented evidence that this vulnerability has been exploited.
If a denial of service attack were successful, it could lead to a drop in the wireless capability of the Alaris™ PC Unit. The Alaris™ PC Unit will continue to function as programmed; however, network-based services such as pre-populating the Alaris™ PC Unit with infusion parameters through EMR Interoperability or wirelessly updating the Alaris™ System Guardrails™ (DERS) will not be available. The following includes a list of potential impact, and actions that should be taken should the vulnerability be exploited and an attack occurs:
|Inability to pre-populate the Alaris™ PC Unit with infusion parameters through EMR interoperability||After the operator scans the patient’s wristband, the drug label, and the pump, the EMR will register that the infusion parameters were not delivered to the pump. The operator will then manually program the pump per their training. The pump will continue to have Alaris™ Guardrails™ dose error reduction software (DERS) regardless of wireless connectivity.|
|Inability to wirelessly send Alaris™ PC Unit data (such as log information)||When connectivity is restored, the data logs are downloaded to the server. In addition, data logs can be manually downloaded.|
|Inability to wirelessly send a new Guardrails™ data set to the Alaris™ PC Unit||During a loss of wireless connectivity, new Guardrails™ data sets can be manually uploaded to the PC Unit or will be uploaded whenever the wireless connection is reset. Whether manually or wirelessly uploaded, a new data set must be manually activated on a PC Unit while the pump is idle (not infusing). The pump will continue to have Alaris™ Guardrails™ (DERS) regardless of wireless connectivity.|
Exploiting this vulnerability would not provide administration access to the BD Alaris™ PC Unit or the BD Alaris™ Systems Manager. An unauthorized user would not be able to gain permissions or be able to perform remote commands for the BD Alaris™ PC Unit. Any Protected Health Information (PHI) or Personally Identifiable Information (PII) is encrypted.
BD has conducted internal risk assessments for this vulnerability and has also collaborated with the U.S. Department of Homeland Security (DHS) to review the baseline Common Vulnerability Scoring System (CVSS) score as outlined below. This vulnerability score can be used in assessing risk within your own organization.
6.5 (medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Accessibility to the same network that the device is connected to, for example the local Wi-Fi, is a prerequisite for an attack to occur. Specialized access conditions and/or extenuating circumstances are not needed; therefore, the attack complexity is low. No user privileges or interaction are required to exploit this vulnerability. The scope of a potential attack remains unchanged and this vulnerability has no impact on the confidentiality, and a low impact on integrity of the message header information. This vulnerability could have a low impact on the availability between the pumps and the customer’s wireless network.
For more information on BD’s proactive approach to product security and vulnerability management, contact our Product Security Office:
Product Security Bulletin for BD Alaris™ PC Unit 8015 and BD Alaris™ Systems Manager
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.