This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs).
It applies to products that are actively and not actively supported. These products are not sold or used in the United States.
BD has established a routine practice of seeking, communicating, and addressing cybersecurity issues in products in a timely fashion. Voluntary vulnerability disclosure is an essential component to BD’s approach to transparency by enabling customers to properly manage risk through awareness and guidance.
This notification provides product security information and recommendations related to a security vulnerability found within specified versions of Alaris™ Gateway Workstation. The contents of this notification will be disclosed publicly on the BD Product Security website ( http://www.bd.com/productsecurity) and is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the National Health Information Sharing and Analysis Center (NH-ISAC).
Products in Scope
This notification applies to the Alaris™ Gateway Workstation, with the following versions only:
- 1.1.3 Build 10
- 1.1.3 MR Build 11
- 1.2 Build 15
- 1.3.0 Build 14
- 1.3.1 Build 13
This product is not sold or used in the United States, and there have been no reported exploits of this vulnerability. This does not impact the latest firmware version 1.3.2 nor version 1.6.1. The Alaris™ Gateway Workstation is intended to be used to provide mounting, power and communications support to the Alaris® Infusion Pumps range within the operating environment specified in the Directions For Use (DFU).
Additionally, this notification may apply to the following products, with software version 2.3.6 and below:
- Alaris™ GS (not actively supported)
- Alaris™ GH
- Alaris™ CC
- Alaris™ TIVA
Note: Only software versions for 2.3.6 and below are impacted. Software version 2.3.6 was released in 2006. These pumps were previously sold under the Asena brand. This does not apply to Alaris™ Medley devices. None of these products are sold in the United States.
BD has been made aware of a potential vulnerability that can impact the Alaris™ Gateway Workstation (Workstation). If exploited, this vulnerability may allow an attacker with malicious intention to remotely install unauthorized firmware. In order to access this vulnerability, an attacker would need to gain access to a hospital network, have intimate knowledge of the product, be able to update and manipulate a CAB file, which stores files in an archived library and utilizes a proper format for Windows CE. If an attacker is able to complete those steps, they may also utilize this vulnerability to change the scope to adjust commands on the infusion pump, including adjust the infusion rate on specific mounted infusion pumps, listed above.
In addition to the steps above, to exploit the vulnerability on the Workstation, an attacker would need to create an executable with custom code that can run in the Windows CE environment, understand how the internal communication protocols are utilized within the product and create a specific installer for the CAB file, with settings required to run the program. Adjusting the change in scope is difficult to exploit.
CyberMDX, a security vendor, originally made BD aware of this vulnerability to the Alaris™ Gateway Workstation.
Clinical Risk Assessment and Patient Safety Impact
BD has assessed the change in scope to this vulnerability for clinical impact and concluded that although the probability of remotely exploiting the vulnerability to the Workstation and then creating a custom, executable code that impacts the delivery of a patient's IV infusion is theoretically possible, the probability of patient harm is unlikely to occur due to the sequence of events that must occur in a specific order by a highly trained attacker. BD has had zero reports of this issue occurring from any customer sites.
Product Security Risk Assessment and Vulnerability Score
BD has conducted internal risk assessments for this vulnerability and has also collaborated with the U.S. Department of Homeland Security (DHS), and independent security researchers to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within an organization that uses products covered in this disclosure.
10.0 (Critical) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
Rationale: A successful attack can be conducted over the network. A malicious attacker must first gain access to the hospital's internal network (at minimum, acquiring an IP on the subnet). The Alaris Gateway Workstation does not require authentication and therefore privileges are not required. While complexity exists for CAB file modification, this vulnerability for attack complexity is ranked as low due to lack of authentication for an attacker to exploit this vulnerability. The scope can change to affect only specific mounted infusion pumps outside the perimeter of the Workstation. High impacts to system and data integrity and availability exist as complete or partial disabling of the gateway is possible. Alaris Gateway Workstation information, such as model information and software version, is not deemed to be sensitive data however dosage rate and drug name are stored in memory in the Worksation; thus data confidentiality is low.
Mitigations & Compensating Controls
Begin Update A: August 28, 2019
To ensure the remediation, which removes accessibility to the SMB network share, has been successful, the validation period has been extended to the second week of September 2019. Once approved, customers will be able to request the patch on the BD Customer Portal.
End Update A: August 28, 2019
BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability:
- Customers should utilize the latest firmware to eliminate the vulnerability
- Customers block the SMB protocol
- Customers should segregate their VLAN network
- Customers should ensure only appropriate associates have access to the customer network
BD has created a remediation which removes accessibility to the SMB network share. Further details, including implementation of the remediation, will be provided within 60 days of this original update.
Last BD Publication Update: 09/3/2019
Original BD Publication Date: 06/13/2019
For More Information
For more information on BD’s proactive approach to product security and vulnerability management, contact our Product Security Office: http://www.bd.com/productsecurity
Product Security Bulletin for Alaris™ Gateway Workstation
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.
Franklin Lakes, NJ
© 2019 BD