BD has assessed eight reported vulnerabilities that impact VxWorks, a real-time operating system (RTOS) from third-party vendor Wind River Systems, and three vulnerabilities that impact connected devices leveraging the Interpeak IPnet standalone TCP/IP networking stack associated with VxWorks. These vulnerabilities are not exclusive to BD, or medical devices that use VxWorks or the Interpeak IPnet standalone TCP/IP networking stack. BD is providing this update to educate customers on which BD products and under what conditions their devices could be affected by this third-party vulnerability
There have been no reported exploits of the BD Alaris™ PC Unit or any BD products associated with the vulnerabilities in this third-party software.
Products in Scope
BD determined it does not use any of the impacted versions of the VxWorks real-time operating system (RTOS). However, the following BD products do use the Interpeak IPnet standalone TCP/IP networking stack. IPnet is the wired/wireless network stack that the pump uses to communicate on the network to the BD Alaris Systems Manager Server:
Note: This list may be updated as necessary if new information becomes available. For those customers who do not use the wireless capabilities in the Alaris™ PC Unit, these vulnerabilities do not apply.
The Alaris™ PC Unit is potentially affected by two of the three reported vulnerabilities in the Interpeak IPnet standalone TCP/IP networking stack, specifically, CVE-2019-12255 and CVE-2019-12264.
- CVE-2019-12255: TCP Urgent Pointer = 0 leads to integer underflow
- To exploit this vulnerability on an Alaris™ PC Unit, an attacker would have to gain access to the customer network, identify the IP address of the Alaris™ PC Unit, redirect traffic from the Alaris™ PC Unit’s server connection to itself (spoofing) and then send malicious packets to the Alaris™ PC Unit. A successful attack may result in an error with the Alaris™ PC Unit, signaling a highly detectable alarm and locking the keyboard. The Alaris System was designed to fail safely allowing the infusions to continue when a PCU error occurs. Additionally, a theoretical pathway could result in an unauthorized change to patient therapy. An attacker would need to follow the series of steps above, in addition to six other advanced sequence of events, and also understand internal proprietary architecture of the Alaris PC Unit to result in an authorized change to patient therapy. BD engineers that are experts on the device and its system architecture have not been able to reproduce this theoretical vulnerability.
- CVE-2019-12264: Logical flaw in IPv4 assignment by the ipdhcpc Dynamic Host Configuration Protocol (DHCP) client
- To exploit this vulnerability and assign the Alaris™ PC unit with an invalid IP address, an attacker would need to gain access to the customer network, monitor the DHCP requests from the Alaris™ PC Unit, send spoofed DHCP response with an invalid IP address, which may lead to a denial of service in the wireless capability of the Alaris™ PC Unit. The Alaris™ PC Unit will continue to function as expected; however network based services such as interoperability will not be available.
A third vulnerability, CVE-2019-12262, does not affect the Alaris PC Unit, as BD specific configurations for the Alaris™ PC Unit does not use this functionality.
Note: These vulnerabilities have been assessed using the Common Vulnerability Scoring System (CVSS) version 3.0 ( https://www.first.org/cvss/) by Wind River Systems
- CVE-2019-12255: CVSS 9.8 (high) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/
- CVE-2019-12264: CVSS 7.1 (medium) CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.
Clinical Risk Assessment and Patient Safety Impact
CVE-2019-12255 has been assessed for clinical impact by BD. Based on the risk evaluation, the hazardous situations secondary to the keypad lock up (for example under infusion, delay in start of therapy or interruption of therapy when power cycling the pump to clear the alarm condition) could potentially result in patient harm, depending on criticality of patient and the type of therapy infusion at the time. The probability of harm is unlikely considering each individual device would need to be targeted via an exploit; there is a highly detectable alarm and the exploit would not interrupt the infusion. The medical benefits for continued use of the device outweigh the risks associated with these vulnerabilities.
CVE-2019-12264 has been assessed for clinical impact by BD and is a negligible risk. If successful, the Alaris™ PC Unit will be unable to communicate with the System Manager, however infusions will continue as intended.
Mitigations & Compensating Controls
The Interpeak IPnet standalone TCP/IP networking stack does not currently have a remediation provided by the vendor. BD has investigated and confirmed the following compensating controls to minimize risk and impact in addition to exploring other potential solutions:
- Consider stronger network controls for wireless authentication, which are harder to replicate and substitute, like enterprise versions of WPA/WP2 protocols
- Customers with Intrusion Detection Systems (IDS) should consider monitoring wireless networks with patient connected devices for possible malicious activity
- Systems Manager should be considered a critical service. Whenever possible, it should operate on a secured network behind a firewall, it should be patched regularly, and should have malware protection
- Ensure that the Alaris PC Unit and Alaris Systems Manager are separated by a firewall
- Implement firewall rules to block any TCP segment that has the URG flag set from being sent to the Alaris™ PC Unit. An example rule for Linux/iptables based firewall is:
iptables -A FORWARD -p tcp --tcp-flags URG URG --source-port 3613 -j DROP
Note: Port 3613 is registered to Alaris (BD).
The rule can be further specialized by adding IP address of the System Manager as the source IP address
For product or site-specific concerns, contact your BD service representative.