Alaris Gateway Workstation Web Browser User Interface Lack of Authentication

Jun 13, 2019


This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs).

It applies to products that are actively supported. These products are not sold or used in the United States.

BD has established a routine practice of seeking, communicating, and addressing cybersecurity issues in products in a timely fashion. Voluntary vulnerability disclosure is an essential component to BD’s approach to transparency by enabling customers to properly manage risk through awareness and guidance.

This notification provides product security information and recommendations related to a security vulnerability found within specified versions of Alaris Gateway Workstation. The contents of this notification will be disclosed publicly on the BD Product Security website (http://www.bd.com/productsecurity) and is voluntary reported by BD to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the National Health Information Sharing and Analysis Center (NH-ISAC).

Products in Scope

This notification applies to the Alaris Gateway Workstation products:

  • Alaris Gateway Workstation Web Browser User Interface, a web-based application, for the following versions only:
    • 1.0.13
    • 1.1.3 Build 10
    • 1.1.3 MR Build 11
    • 1.1.5
    • 1.1.6

This product is not sold or used in the United States, and there have been no reported exploits of this vulnerability.

This does not impact the latest firmware version 1.3.2 nor version 1.6.1.

Vulnerability Details

BD has been made aware of a potential vulnerability that can impact Web Browser User Interface on the Alaris Gateway Workstation, standalone configuration only. If exploited, this vulnerability may allow an attacker with knowledge of the IP address of the Alaris Gateway Workstation terminal to gain access to the following information on the Web Browser User Interface:

  • Monitoring
  • Event Logs
  • User Guide
  • Configuration
    Note: Monitoring, Event Logs and User Guide have read-only access. Pages under configuration offer the ability to modify parameters.

By default, no patient information is stored on the Web Browser User Interface.

Configuration Details

Additionally, an attack may be able to change the Workstation’s network configuration and restart the Workstation.

Pages under configuration include:

  • Identification
  • Date & Time; changes to these values would affect timestamps of log entries and snapshots of Patient Data Management System
  • Alarm Settings
  • Wired Networking
  • Wireless Networking
    Note: This only applies to option 03 Alaris Gateway Workstations which utilize Wi-Fi adapters. This accounts for a small percentage of legacy devices.
  • Serial ports

Select information may also be viewed as plain text through the portal.xml interface.

CyberMDX, a security vendor, originally made BD aware of this vulnerability to the Alaris Gateway Workstation.

Clinical Risk Assessment and Patient Safety Impact

This vulnerability does not have a direct impact on any mounted infusion pump functionality or performance as this is a web-based application utilized for only the aggregation of data.

Product Security Risk Assessment and Vulnerability Score

BD has conducted internal risk assessments for this vulnerability and has also collaborated with the U.S. Department of Homeland Security (DHS) and independent security researchers to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within an organization that uses the Alaris Gateway Workstation.

7.3 (High) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Rationale: A malicious attacker would need to gain access to the hospital’s internal network (at minimum, acquiring an IP on the subnet) for this attack to be successful. For this reason, we anticipate the attacker to have elevated privileges, however the Web Browser User Interface does not require authentication and therefore privileges are not required. A successful attack would involve compromise of system integrity, due to the risk of modification of network settings, and system/data availability, if an attacker pushes the Workstation into a reboot cycle. Pump information, such as model information and software version, is not deemed to be sensitive data, however data confidentiality is impacted as status, logging, network and configuration information are viewable and offer the ability to modify parameters.

Mitigations & Compensating Controls

BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability:

  • BD recommends customers utilize the latest firmware version 1.3.2 or 1.6.1
  • Customers should ensure only appropriate associates have access to their network
  • BD recommends customers isolate their network from untrusted systems

Last BD Publication Update: 06/13/2019
Original BD Publication Date: 06/13/2019

For More Information

For more information on BD’s proactive approach to product security and vulnerability management, contact our Product Security Office: http://www.bd.com/productsecurity

June 2019
Product Security Bulletin for Alaris Gateway Workstation

BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.

BD
Franklin Lakes, NJ
07417
United States

bd.com
© 2019 BD

This site uses cookies. If you click accept cookies then all cookies will be written. Please review our cookies policy and configure your cookies for your experience.