Interpeak IPNET TCP IP stack vulnerability

United States
North America

Canada (FR)

Canada (EN)

Mexico

United States

South America

Argentina

Brasil

Chile

Colombia
Europe

Belgium (FR)

Belgium (NL)

Česká republika

Denmark

Europe

Suomi

France

Deutschland

Hebrew

Hungary (EN)

Hungary (HU)

Ireland

Italia

Nederland

Norge

Polska

Россия

España

Sverige

Schweiz

Türkiye

United Kingdom
Middle East / Africa

Middle East, North Africa

Africa

Asia / Pacific

Australia / New Zealand

中国

Greater Asia

India

Indonesia

日本

Korea

Malaysia

Philippines

Singapore

Thailand

Vietnam
Login

Bulletin and Patches

Aug 09, 2022

Bulletins

HIGH

Last updated: August 09, 2022

Original Publication: October 01, 2019

BD has assessed eight reported vulnerabilities that impact VxWorks, a real-time operating system (RTOS) from third-party vendor Wind River Systems, and three vulnerabilities that impact connected devices leveraging the Interpeak IPnet standalone TCP/IP networking stack associated with VxWorks. These vulnerabilities are not exclusive to BD, or medical devices that use VxWorks or the Interpeak IPnet standalone TCP/IP networking stack. BD is providing this update to educate customers on which BD products and under what conditions their devices could be affected by this third-party vulnerability

There have been no reported exploits of the BD Alaris™ PC Unit or any BD products associated with the vulnerabilities in this third-party software.

BEGIN UPDATE A: Aug 09, 2022

Remediation

BD has released the following Alaris™ PC Unit software, which addresses CVE-2019-12255 and CVE-2019-12264, also known as “Urgent 11:”

Alaris™ PC Unit Software Versions 12.1.0 and newer

BD recommends that customers update to Alaris™ PC Unit versions 12.1.1 or newer, where available based on regulatory authorization. For assistance scheduling the remediation, customers should contact their BD Sales Representative.

END UPDATE A: Aug 09, 2022

BD determined it does not use any of the impacted versions of the VxWorks real-time operating system (RTOS). However, the following BD products do use the Interpeak IPnet standalone TCP/IP networking stack. IPnet is the wired/wireless network stack that the pump uses to communicate on the network to the BD Alaris Systems Manager Server:

Alaris™ PC Unit

Note: This list may be updated as necessary if new information becomes available. For those customers who do not use the wireless capabilities in the Alaris™ PC Unit, these vulnerabilities do not apply.

The Alaris™ PC Unit is potentially affected by two of the three reported vulnerabilities in the Interpeak IPnet standalone TCP/IP networking stack, specifically, CVE-2019-12255 and CVE-2019-12264.

CVE-2019-12255: TCP Urgent Pointer = 0 leads to integer underflow
- To exploit this vulnerability on an Alaris™ PC Unit, an attacker would have to gain access to the customer network, identify the IP address of the Alaris™ PC Unit, redirect traffic from the Alaris™ PC Unit’s server connection to itself (spoofing) and then send malicious packets to the Alaris™ PC Unit. A successful attack may result in an error with the Alaris™ PC Unit, signaling a highly detectable alarm and locking the keyboard. The Alaris System was designed to fail safely allowing the infusions to continue when a PCU error occurs. Additionally, a theoretical pathway could result in an unauthorized change to patient therapy. An attacker would need to follow the series of steps above, in addition to six other advanced sequence of events, and also understand internal proprietary architecture of the Alaris PC Unit to result in an authorized change to patient therapy. BD engineers that are experts on the device and its system architecture have not been able to reproduce this theoretical vulnerability.

CVE-2019-12264: Logical flaw in IPv4 assignment by the ipdhcpc Dynamic Host Configuration Protocol (DHCP) client
- To exploit this vulnerability and assign the Alaris™ PC unit with an invalid IP address, an attacker would need to gain access to the customer network, monitor the DHCP requests from the Alaris™ PC Unit, send spoofed DHCP response with an invalid IP address, which may lead to a denial of service in the wireless capability of the Alaris™ PC Unit. The Alaris™ PC Unit will continue to function as expected; however network based services such as interoperability will not be available.

A third vulnerability, CVE-2019-12262, does not affect the Alaris PC Unit, as BD specific configurations for the Alaris™ PC Unit does not use this functionality.

Note: These vulnerabilities have been assessed using the Common Vulnerability Scoring System (CVSS) version 3.0 ( https://www.first.org/cvss/) by Wind River Systems

CVE-2019-12255: CVSS 9.8 (high) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/
CVE-2019-12264: CVSS 7.1 (medium) CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.

CVE-2019-12255 has been assessed for clinical impact by BD. Based on the risk evaluation, the hazardous situations secondary to the keypad lock up (for example under infusion, delay in start of therapy or interruption of therapy when power cycling the pump to clear the alarm condition) could potentially result in patient harm, depending on criticality of patient and the type of therapy infusion at the time. The probability of harm is unlikely considering each individual device would need to be targeted via an exploit; there is a highly detectable alarm and the exploit would not interrupt the infusion. The medical benefits for continued use of the device outweigh the risks associated with these vulnerabilities.

CVE-2019-12264 has been assessed for clinical impact by BD and is a negligible risk. If successful, the Alaris™ PC Unit will be unable to communicate with the System Manager, however infusions will continue as intended.

The Interpeak IPnet standalone TCP/IP networking stack does not currently have a remediation provided by the vendor. BD has investigated and confirmed the following compensating controls to minimize risk and impact in addition to exploring other potential solutions:
Consider stronger network controls for wireless authentication, which are harder to replicate and substitute, like enterprise versions of WPA/WP2 protocols
Customers with Intrusion Detection Systems (IDS) should consider monitoring wireless networks with patient connected devices for possible malicious activity
Systems Manager should be considered a critical service. Whenever possible, it should operate on a secured network behind a firewall, it should be patched regularly, and should have malware protection
Ensure that the Alaris PC Unit and Alaris Systems Manager are separated by a firewall
Implement firewall rules to block any TCP segment that has the URG flag set from being sent to the Alaris™ PC Unit. An example rule for Linux/iptables based firewall is:
iptables -A FORWARD -p tcp --tcp-flags URG URG --source-port 3613 -j DROP
Note: Port 3613 is registered to Alaris (BD).
The rule can be further specialized by adding IP address of the System Manager as the source IP address

For product or site-specific concerns, contact your BD service representative.

BD Statement regarding Interpeak IPnet coordinated vulnerability disclosure
Wind River Security Announcement: https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/ipnet-faq/
US CERT Advisory: https://www.us-cert.gov/ics/advisories/icsa-19-211-01