This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs).
It applies to products that are actively supported. These products are not sold or used in the United States.
BD has established a routine practice of seeking, communicating, and addressing cybersecurity issues in products in a timely fashion. Voluntary vulnerability disclosure is an essential component to BD’s approach to transparency by enabling customers to properly manage risk through awareness and guidance.
This notification provides product security information and recommendations related to a security vulnerability found within specified versions of Alaris™ Gateway Workstation. The contents of this notification will be disclosed publicly on the BD Product Security website (http://www.bd.com/productsecurity) and is voluntary reported by BD to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the National Health Information Sharing and Analysis Center (NH-ISAC).
Products in Scope
This notification applies to the Alaris™ Gateway Workstation products:
- Alaris Gateway Workstation Web Browser User Interface, a web-based application, for the following versions only:
- 1.1.3 Build 10
- 1.1.3 MR Build 11
This product is not sold or used in the United States, and there have been no reported exploits of this vulnerability.
This does not impact the latest firmware version 1.3.2 nor version 1.6.1.
BD has been made aware of a potential vulnerability that can impact Web Browser User Interface on the Alaris™ Gateway Workstation, standalone configuration only. If exploited, this vulnerability may allow an attacker with knowledge of the IP address of the Alaris Gateway Workstation terminal to gain access to the following information on the Web Browser User Interface:
- Event Logs
- User Guide
Note: Monitoring, Event Logs and User Guide have read-only access. Pages under configuration offer the ability to modify parameters.
By default, no patient information is stored on the Web Browser User Interface.
Additionally, an attack may be able to change the Workstation’s network configuration and restart the Workstation.
Pages under configuration include:
- Date & Time; changes to these values would affect timestamps of log entries and snapshots of Patient Data Management System
- Alarm Settings
- Wired Networking
- Wireless Networking
Note: This only applies to option 03 Alaris Gateway Workstations which utilize Wi-Fi adapters. This accounts for a small percentage of legacy devices.
- Serial ports
Select information may also be viewed as plain text through the portal.xml interface.
CyberMDX, a security vendor, originally made BD aware of this vulnerability to the Alaris™ Gateway Workstation.
Clinical Risk Assessment and Patient Safety Impact
This vulnerability does not have a direct impact on any mounted infusion pump functionality or performance as this is a web-based application utilized for only the aggregation of data.
Product Security Risk Assessment and Vulnerability Score
BD has conducted internal risk assessments for this vulnerability and has also collaborated with the U.S. Department of Homeland Security (DHS) and independent security researchers to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within an organization that uses the Alaris™ Gateway Workstation.
7.3 (High) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Rationale: A malicious attacker would need to gain access to the hospital’s internal network (at minimum, acquiring an IP on the subnet) for this attack to be successful. For this reason, we anticipate the attacker to have elevated privileges, however the Web Browser User Interface does not require authentication and therefore privileges are not required. A successful attack would involve compromise of system integrity, due to the risk of modification of network settings, and system/data availability, if an attacker pushes the Workstation into a reboot cycle. Pump information, such as model information and software version, is not deemed to be sensitive data, however data confidentiality is impacted as status, logging, network and configuration information are viewable and offer the ability to modify parameters.
Mitigations & Compensating Controls
BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability:
- BD recommends customers utilize the latest firmware version 1.3.2 or 1.6.1
- Customers should ensure only appropriate associates have access to their network
- BD recommends customers isolate their network from untrusted systems
Last BD Publication Update: 06/13/2019
Original BD Publication Date: 06/13/2019
For More Information
For more information on BD’s proactive approach to product security and vulnerability management, contact our Product Security Office: http://www.bd.com/productsecurity
Product Security Bulletin for Alaris™ Gateway Workstation
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.
Franklin Lakes, NJ
© 2019 BD