BD Discloses Alaris Medical Device Vulnerability, Poses DoS Attack Risk
A disclosed vulnerability found in the BD Alaris 8015 PC Unit and Systems Manager poses a Denial of Service (DoS) attack risk. DHS CISA is urging organizations to apply compensating controls.
By - The Department of Homeland Security Cybersecurity and Infrastructure Agency released an alert urging organizations to apply mitigations provided by BD to close a vulnerability found in its Alaris 8015 PC Unit and Systems Manager, which poses a denial of service (DoS) attack risk.
BD proactively disclosed the vulnerability as part of its efforts to shore up the security of risks discovered in its medical device product line. The vulnerability is found in the PC unit, versions 9.33.1 and earlier, as well as the Systems Manager, versions 4.33 and earlier.
The impacted platforms have a vulnerability in the network session authentication, which occurs within the authentication process between the vulnerable versions of BD Alaris PC Unit and it Systems Manager.
“If exploited, an attacker could perform a denial-of-service attack on the BD Alaris PC Unit by modifying the configuration headers of data in transit,” CISA warned. “A denial-of-service attack could lead to a drop in the wireless capability of the BD Alaris PC Unit, resulting in manual operation of the PC Unit.”
Hackers would have to first gain physical access to a facility’s network and redirect the device’s “authentication requests with a custom code and complete an authentication handshake based on the information extracted from the authentication requests.”
BD officials noted that a disruption in wireless connectivity would not affect pump functionality, nor would it provide the attacker with administration access to the unit or the Systems Manager. The attacker would also not be able to gain permissions or perform remote commands through an exploit, and all protected health information and personally identifiable information is encrypted on the device.
However, a successful exploit would render network-based services unavailable, including pre-population of the unit with infusion parameters through EMR interoperability, or wireless updates of the Alaris System Guardrails (DERS).
A successful attack would also result in requiring the operator to manually program the pump, download data logs, or activate the new data set.
At the time of publication, there have been no reported exploits of the vulnerability in a clinical setting. BD has published recommended compensating controls for customers using the impacted versions of the device. Further, many impacted Systems Manager installations may have already been updated to a version that has addressed the security vulnerability through its routine server upgrade.
Upcoming versions of the BD Alaris PC Unit software will address the flaw, and BD noted versions 12.0.1, 12.0.2, 12.1.0, and 12.1.2 of the BD Alaris Systems Manager will remediate the vulnerability.
Until then organizations should apply compensating controls and mitigation measures to reduce the risks posed by the flaw, such as enabling the firewall on the Systems Manager’s server image and implementing rules around the port and services restrictions, including the inbound and outbound ports and services.
BD noted these measures will block most of the access to the server and protect the device from being impacted by the vulnerability.
“If a firewall is integrated between the server network segment and its wireless network segments, implement a firewall rule with an access control list (ACL) that restricts access to the wireless network segment via the specific MAC address of the wireless card on the pump,” BD officials explained.
“This would restrict access to the wireless segment to only authorized devices and not allow other devices to connect and authenticate to the segment,” they added. “BD Alaris Systems Manager should be considered a critical service. Whenever possible, it should operate on a secured network behind a firewall, be patched regularly, and have malware protection.”
Administrators should also disable unnecessary accounts, protocols, and services. CISA explained that a combination of these steps can create restrictions for what devices or systems can operate on the segment, as well as the traffic types allowed to be used between the wireless network segment and the server segment for the Systems Manager Server.
The recommended controls are designed to mitigate and reduce the impact of a cyberattack.
