Becton Dickinson Discovered High and Critical Severity Vulnerabilities in Alaris Gateway Workstations

Becton Dickinson (BD) discovered two vulnerabilities in some of its infusion pumps. One vulnerability is rated critical severity with a maximum CVSS v3 rating of 10 of 10.

BD is known for proactively searching vulnerabilities, responding to cybersecurity concerns, and announcing specifics of vulnerabilities promptly. BD readily announced the two vulnerabilities and discussed information about the flaws with Information Sharing and Analysis Organizations (ISAOs). In this case, Elad Luz of CyberMDX discovered the vulnerabilities and reported them to BD. The Department of Homeland Security’s Industrial Control System Computer Emergency Response Team (ICS-CERT) likewise released a security bulletin regarding the vulnerabilities.

The two flaws impact BD Alaris™ Gateway Workstations used in 50 countries, including Germany, the United Kingdom, Spain and the Netherlands. The Gateway Workstations available in the United States are not affected. Less than 3,000 devices per country are affected by the vulnerability. The vulnerabilities only impact devices with older firmware versions and not the recent firmware versions – 1.3.2 and 1.6.1.

To date, there are no reports that the vulnerabilities were exploited. However, BD advises users to upgrade their firmware to the latest version because of the severity of the vulnerabilities, and to follow the recommended actions to minimize the risk.

The Information Exposure Vulnerability

BD identified an improper access control vulnerability that hackers could exploit on a vulnerable Gateway Workstation utilized in standalone configuration. In case the hacker knew the workstation terminal’s IP address, it’s possible to access the web user interface and acquire read-only access to data, including the user guide, monitoring, configurations and event logs.

This high severity vulnerability CVE-2019-10962 has an assigned CVSS v3 base rating of 7.3 of 10. Vulnerable versions include: 0.13; 1.3 Build 10; 1.3 MR Build 11; 1.5 and 1.6.

Unrestricted Upload of Unauthorized Software

If an attacker exploits this critical severity vulnerability, the attacker could install unauthorized firmware to a vulnerable device. Then an attacker could control the device’s infusion rate, dosage and other functions or even entirely stop infusions. It is also possible to keep devices silent to stop the generation of any alerts.

ICS-CERT stated that exploitation of the vulnerabilities could allow a hacker to perform unauthorized arbitrary code execution, permitting him to view and modify device status and settings and make the device unavailable.

The critical severity vulnerability CVE-2019-10959 has an assigned CVSS v3 base rating of 10 out of 10. In order to exploit this vulnerability, the attacker needs to access the hospital network first and manage to update and change a CAB file.

The attacker needs to develop a custom file capable of running in a CE environment, correctly utilize the internal communications protocols and make a distinct installer for the changed CAB file then configure it to run the program. The nature of attack is complicated and require a high level of knowledge and skill, so it is difficult to exploit this vulnerability.

This vulnerability affects devices with the following versions of firmware: 1.3 Build 10; 1.3 MR Build 11; 3.0 Build 14; and 3.1 Build 13. It also affects the following products if utilizing software version 2.3.6: Alaris CC; Alaris GS; Alaris GH; and Alaris TIVA.

The vulnerability could be completely mitigated by installing the most recent firmware version. BD advises the restriction of access to the devices and keeping it from networking with untrusted systems.

The dangerous file upload vulnerability may be dealt with by getting the most recent firmware version. If an upgrade is not possible, a patch issued by BD within 60 days must be applied promptly.

BD additionally recommends stopping SMB protocol, separating the VLAN network, using access controls and limiting the number of individuals who could access the customer network.