BD Alaris™ System with Guardrails™ Suite MX

Bulletin and Patches

Oct 26, 2023

Bulletins

HIGH

Last updated: Oct 26, 2023

Original Publication: July 13, 2023

BD communicates with our customers about cybersecurity vulnerabilities to help healthcare providers manage potential risks through awareness and guidance.

This notification provides product security information and recommendations related to security vulnerabilities found within the BD Alaris™ System with Guardrails™ Suite MX, versions 12.1.3 and earlier.

As a routine practice, BD has voluntarily shared these vulnerabilities with the U.S. Food and Drug Administration (FDA), the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates. Read Coordinated Vulnerability Disclosure to learn more about our disclosure process.

The eight security vulnerabilities below are present on the BD Alaris™ System v12.1.3 and earlier versions. All the vulnerabilities in this bulletin were discovered through routine internal security testing, which is part of our software development life cycle. There have been no reports of these vulnerabilities being exploited.

BD has performed risk assessments on each vulnerability in accordance with AAMI-TIR57 and ISO 14971 where potential safety impact was possible. For all eight vulnerabilities, it has been determined that the product's existing control measures effectively reduce the probability of harm, and the residual risk is considered acceptable. Remediation and deployment planning for these vulnerabilities is currently in progress. This disclosure will be updated when more information is available.

BEGIN UPDATE A: Oct 26, 2023

Remediation

BD has released the BD Alaris™ System v12.3 with the following software, which remediates CVE-2018- 1285, CVE 2023-30563, CVE 2023-30564, and CVE-2023-30565 and partially remediates CVE 2023- 30562:

BD Alaris™ Systems Manager Software version 12.5.1
Calculation Services, version 1.1.1

Additional details:

BD Alaris™ System v12.3, which includes BD Alaris™ Guardrails™ Editor version 12.1.3, partially remediates CVE 2023-30562 and reduces the CVSS score from 6.7 (Medium) to 3.0 (Low). Additional information is provided below under Vulnerability Details.
BD Alaris™ System v12.3 is no longer compatible with the CQI Reporter version 10.17 and earlier. Therefore CVE-2023-30565 no longer applies.

BD recommends customers update to the BD Alaris™ System v12.3, where available based on regulatory authorization. Customers who require software updates should contact their BD Account Executive to assist with scheduling the remediation.

BD also updated the BD Alaris™ PCU Model 8015 to version 12.3.1 when the BD Alaris™ System v12.3 was released. The following CVEs are still present on the BD Alaris™ PCU Model 8015 version 12.3.1: CVE-2023-30559, CVE-2023-30560 and CVE-2023-30561. This bulletin will be updated with additional remediation information when available.

END UPDATE A: Oct 26, 2023

For additional information, customers may request a copy of the latest BD Alaris™ System Product Security White Paper by visiting the BD Cybersecurity Trust Center.

BD Alaris™ PCU Model 8015, versions 12.1.3 and earlier 

1. CVE-2023-30559 - Wireless Card Firmware Improperly Signed (Medium) 

2. CVE-2023-30560 - PCU Configuration Lacks Authentication (Medium) 

3. CVE-2023-30561 - Lack of Cryptographic Security of IUI Bus (Medium) 

BD Alaris™ Guardrails™ Editor, versions 12.1.2 and earlier 

4. CVE-2023-30562 - Lack of Dataset Integrity Checking (Medium) 

BD Alaris™ Systems Manager, versions 12.3 and earlier 

5. CVE-2023-30563 - Stored Cross-Site-Scripting (XSS) on User Import Functionality (High) 

6. CVE-2023-30564 - Stored Cross-Site-Scripting (XSS) on Device Import Functionality (Medium)  

CQI Reporter, version 10.17 and earlier (only applicable to customers using CQI Reporter) 

7. CVE-2023-30565 - CQI Data Sniffing (Low) 

Calculation Services, versions 1.0 and earlier (only applicable to customers currently using Interoperability features) 

8. CVE-2018-1285 - Apache Log4Net Calculation Services (Low) 

BD is authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA) by the CVE® Program. As a CNA, BD is authorized to assign CVE identification numbers to newly discovered vulnerabilities in its software-enabled products, which includes using the Common Weakness Enumeration (CWE™) system to classify vulnerability types and applying the Common Vulnerability Scoring System (CVSS) to communicate vulnerability characteristics and severity. BD assigned the below CVSS scores to these vulnerabilities.

1. CVE-2023-30559 - Wireless Card Firmware Improperly Signed

Vulnerability Description: The firmware update package for the wireless card is not properly signed and can be modified.

CVSS 5.2 (Medium) CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Rationale: Physical access to the BD Alaris™ PCU is required to exploit this vulnerability. The attack complexity is low because no special privileges are required, and user interaction is not required. If exploited, the threat actor would not be able to gain access to other components of the system. There is low impact to the confidentiality and the integrity of the system. However, there is a high impact to the availability of the system.

2. CVE-2023-30560 - PCU Configuration Lacks Authentication

Vulnerability Description: The configuration from the PCU can be modified without authentication using physical connection to the PCU.

CVSS 6.8 (Medium) CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Rationale: Physical access to the BD Alaris™ PCU is required to exploit this vulnerability. The attack complexity is low because no specialized access conditions or extenuating circumstances are required. Additionally, no special privileges are required, and user interaction is not required. If exploited, the threat actor would not be able to gain access to other components of the system. There is a high impact to confidentiality, integrity and availability.

3. CVE-2023-30561 - Lack of Cryptographic Security of IUI Bus

Vulnerability Description: The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.

CVSS 6.1 (Medium) CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Rationale: A threat actor would require physical access to the BD Alaris™ PCU via a specially configured device for protocol exploration and exploitation. While the complexity of this exploit is low, significant technical experience is required. No specialized privileges or user interaction is required. If exploited, the threat actor would not be able to gain access to other components of the system. There is a high impact to confidentiality and integrity. However, there is no impact to the availability of the system.

4. CVE-2023-30562 - Lack of Dataset Integrity Checking

Vulnerability Description: A GRE dataset file within Systems Manager can be tampered with and distributed to PCUs.

BEGIN UPDATE A: Oct 26, 2023

For the BD Alaris™ Infusion System 12.1.3 (GRE 12.1.2) and earlier versions, the original CVSS score still applies:

CVSS 6.7 (Medium) CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

Rationale: A threat actor would require access to an adjacent network to exploit this vulnerability. The attack complexity is low because the attacker only needs to modify certain fields within the system. To modify the file, the threat actor would need to have generalized permissions. System Manager user interaction is required. If exploited, the threat actor would not be able to gain access to other components of the system. There is no impact to the confidentiality of the system. This exploit would impact the integrity of GRE dataset file directly as it would be subject to out-of-band modification. Additionally, any such modification would have the potential of disabling the effective use of downstream PCUs, impacting the overall availability of the system.

For the BD Alaris™ Infusion System version 12.3 (GRE 12.1.3), the CVSS score has been reduced to Low:

CVSS 3.0 (Low) CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Rationale: A threat actor would require access to an adjacent network to exploit this vulnerability. The attack complexity is low because the attacker only needs to modify certain fields within the system. To modify the file, the threat actor would need to have generalized permissions. System Manager user interaction is required. If exploited, the threat actor would not be able to gain access to other components of the system. There are no impacts on the confidentiality or availability of the system. Impact to integrity is low because, while tampering of the GRE file is possible, an attacker is not able to control the direct consequences of the tampering.

END UPDATE A: Oct 26, 2023

5. CVE-2023-30563 - Stored Cross-Site Scripting on User Import Functionality

Vulnerability Description: A malicious file could be uploaded into a System Manager User Import Function resulting in a hijacked session.

CVSS 8.2 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Rationale: A threat actor requires network access to the Systems Manager (SM) application. If no privileges are required on the computer running SM, the complexity of exploiting this vulnerability is low. Systems Manager user interaction is required. If this vulnerability were to be successfully exploited, it could impact other systems containing sensitive information. There is no impact to availability, a low impact to integrity of the SM application and a high impact to confidentiality.

6. CVE-2023-30564 - Stored Cross-Site Scripting on Device Import Functionality

Vulnerability Description: Alaris Systems Manager does not perform input validation during the Device Import Function.

CVSS 6.9 (Medium) CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Rationale: The threat actor would need to be on an adjacent network to successfully exploit this vulnerability. If there is no requirement for an attacker to be authenticated to the host machine, the attack complexity is low. Any Systems Manager user is required to load a malicious payload. This vulnerability could cause impacts beyond the Systems Manager to other components. There is no impact to availability. However, there is low impact to integrity and high impact to confidentiality.

7. CVE-2023-30565 - CQI Data Sniffing

Vulnerability Description: An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker.

CVSS Score: 3.5 (Low) CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Rationale: A threat actor would require access to an adjacent network to exploit this vulnerability. The attack complexity is low and there are no specialized privileges or user interaction required. If exploited, the threat actor would not be able to gain access to other components of the system. There is a low impact to confidentiality due to data flow access, there are no impacts to integrity or availability.

8. CVE-2018-1285 - Apache Log4Net Calculation Services

Vulnerability Description: A lack of input validation within Apache Log4Net (due to an outdated software version) could allow a threat actor to execute malicious commands.

CVSS Score: 3.0 (Low) CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L

Rationale: A threat actor would require local access to Systems Manager. An attacker would be required to have elevated privileges after accessing the target system and modify a vulnerable instance of the Log4Net configuration file. User interaction is not required and, if exploited, the threat actor could not make changes to other components of the system. While there is no impact to confidentiality of the application, there is a low impact to both integrity and availability.

BD has assessed the clinical risk and patient safety impact of these vulnerabilities. The following two vulnerabilities have no clinical impact or safety concern at this time:

CQI Reporter, version 10.17 and earlier (only applicable to customers using CQI Reporter)

CQI Data Sniffing (CVE-2023-30565)
- Viewing CQI data has no impact to the function of the BD Alaris™ System.

BD Alaris™ PCU Model 8015, versions 12.1.3 and earlier

Lack of Cryptographic Security of IUI Bus (CVE-2023-30561)
- For this vulnerability the likelihood of applying a manned, specially crafted device undetected at the bedside has been determined to be reasonably unforeseeable.

The remaining vulnerabilities have the possibility to impact patient safety. However, the potential for harm can only occur if the vulnerability is exploited; there have been no reports of exploitation in any customer environment or clinical setting.

BD Alaris™ Point-of-Care Unit (PCU) Model 8015, versions 12.1.3 and earlier

PCU Configuration Lacks Authentication (CVE-2023-30560)
- The BD Alaris™ PCU has one vulnerability that impacts a single PCU and requires physical access to exploit. If exploited, physical access will allow unauthorized tampering and modification of configurations, which may result in a partial or total loss of integrity. Modifications to firmware, datasets, network credentials and log files are possible, which may impact functionality of the Alaris System and require the PCU to be replaced. The system is designed with features to detect integrity failures. Additionally, users must confirm all datasets prior to activation, as stated in the BD Alaris™ User Manual. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.

BD Alaris™ Guardrails™ Editor, versions 12.1.2 and earlier

Lack of Dataset Integrity Checking (CVE-2023-30562)
- Guardrails™ Editor has one vulnerability. If exploited, an attacker can pivot from Systems Manager to Guardrails Editor to misconfigure the dataset. This may result in the inadvertent activation of an undesired dataset on the PCU. However, the system is designed with features to detect integrity failures. Additionally, users must confirm all datasets prior to activation, as stated in the BD Alaris™ User Manual. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.

BD Alaris™ Systems Manager, versions 12.3 and earlier

Stored Cross-Site-Scripting (XSS) on User Import Functionality (CVE-2023-30563) and Stored Cross-Site-Scripting (XSS) on Device Import Functionality (CVE-2023-30564)
- BD Alaris™ Systems Manager has two vulnerabilities. If either is exploited, limited administrative services, such as importing new datasets, would lead to a minor delay in therapy until restored; however, the PCU will continue to operate as intended with the existing dataset. The system is designed to limit access to the server to authorized personnel through role-based privileges and access control. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.

BD Alaris™ EMR Interoperability

Wireless Card Firmware Improperly Signed (CVE-2023-30559) and Apache Log4Net Calculation Services (CVE-2018-1285)
- There are two vulnerabilities that affect customers using BD Alaris™ EMR Interoperability. If exploited, a loss of application or network connectivity could lead to a delay in therapy. The system is designed to allow a clinician to program the infusion manually (standard non-interop programming workflow). The clinician can immediately program the infusion manually after the failure of an Automated Programming Request(APR). Moreover, the system is designed to limit access to the server to authorized personnel through role-based privileges and access control. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.

To further reduce the risk associated with these vulnerabilities, BD recommends customers implement the following mitigations and compensating controls:

Network Security

Provide appropriate network perimeter security, such as firewalls, or create Access Control Lists (ACL) to limit network traffic from devices to only the required ports on the required endpoints. The PCU only requires access to DNS, DHCP and Systems Manager on port 3613. The PCU does not accept any unsolicited inbound traffic. Segmenting BD Alaris™ PCUs onto their own VLAN to further enhance the security of BD Alaris™ PCUs is highly recommended.
Customers should control network access to the Systems Manager server image by restricting external access to only those addresses and ports indicated in Chapter 1 of the Systems Manager Virtual Machine Deployment Guide. Customers should apply SSL certificates from valid Certificate Authorities, per Chapter 9 of the same document.
Enable authentication challenge password for network configuration changes, per Chapter 1 of the Alaris System Maintenance Software User Manual.
Rotate Wi-Fi network credentials in alignment with customer security policies and NIST SP 800-63, “Digital Identity Guidelines.” See Network Settings within the Alaris System Maintenance User Manual for instructions on how to manage these credentials. Monitor network traffic for unusual or unexpected traffic and activity. In the event the credentials are suspected of being exposed, change the credentials immediately.
Utilize MAC filtering to restrict access to only those approved/whitelisted devices necessary to operate on the network segment containing the BD Alaris™ System.

Software Security

Periodically inspect BD Alaris™ System components to ensure they are running the correct version of software. Software versions can be found using the instructions in Chapter 4 of the Systems Manager User Manual or Section 6.2.10 of the BD Alaris™ PCU and Pump Module Technical Service Manual.

System Security

Adhere to industry security best practices regarding access control, identification and authorization, personnel security, and physical protection of assets, as recommended by NIST SP 800-171 Rev. 2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”.
Inspect the BD Alaris™ System prior to use for signs of tampering as indicated in the FIPS 140-2 Compliance Instructions for BD Alaris™ System Products Service Manual.

NIST SP 800-171 Rev. 2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” is available at: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
NIST SP 800-63, “Digital Identity Guidelines,” is available at: https://pages.nist.gov/800-63-3/
For product or site-specific concerns, contact your BD customer support representative.