Skip to main content

Multiple Vulnerabilites on BD Alaris Medical Devices

Vulnerabilities affect various BD Alaris products

Threat ID:
CC-4357
Threat Severity:
Low
Published:
14 July 2023 3:30 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Vulnerabilities affect various BD Alaris products

Threat details

Introduction

Becton, Dickinson and Company (BD) have reported multiple vulnerabilities in products including BD Alaris PCU, BD Alaris Guardrails, and BD Alaris Systems Manager.

The most severe of these has a CvSSv3 score of 8.2 and involves cross-site scripting. Some of these vulnerabilities could be used by an attacker to gain control of an affected system.

Vulnerability details

  • CVE-2023-30559 - CWE-20 - IMPROPER INPUT VALIDATION

In BD Alaris Point-of-Care Unit (PCU) Model 8015 v12.1.3 and prior, the firmware update package for the wireless card is not properly signed and can be modified. A CVSS v3 base score of 5.2 has been calculated.

  • CVE-2023-30560 - CWE-287 - IMPROPER AUTHENTICATION

In BD Alaris Point-of-Care Unit (PCU) Model 8015 v12.1.3 and prior, the configuration from the PCU can be modified without authentication using physical connection to the PCU. A CVSS v3 base score of 6.8 has been calculated.

  • CVE-2023-30561 - CWE-311 - MISSING ENCRYPTION OF SENSITIVE DATA

In BD Alaris Point-of-Care Unit (PCU) Model 8015 v12.1.3 and prior, the data flowing between the PCU and its modules is insecure. A threat actor with physical access could read or modify data by attaching a specially crafted device while an infusion is running. A CVSS v3 base score of 6.1 has been calculated.

  • CVE-2023-30562 - CWE-345 - INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY

BD Alaris Guardrails Editor (GRE) v12.1.2 and prior has a GRE dataset file within Systems Manager that can be tampered with and distributed to the PCUs. A CVSS v3 base score of 6.7 has been calculated.

  • CVE-2023-30563 - CWE-79 - IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING')

In the BD Alaris Systems Manager (SM) v12.3 and prior, a malicious file could be uploaded into a System Manager User Import Function resulting in a hijacked session. A CVSS v3 base score of 8.2 has been calculated.

  • CVE-2023-30564 - CWE-79 - IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING')

BD Alaris Systems Manager (SM) v12.3 and prior does not perform input validation during the Device Import Function. A CVSS v3 base score of 6.9 has been calculated.

  • CVE-2023-30565 - CWE-319 - CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION

An insecure connection between Systems Manager and CQI Reporter v10.17 application could expose infusion data to an attacker. A CVSS v3 base score of 3.5 has been calculated.

  • CVE-2018-1285 - CWE-611 - IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE

A lack of input validation within Apache Log4Net (due to an outdated software version) could allow a threat actor to execute malicious commands. A CVSS v3 base score of 3.0 has been calculated.

Remediation advice

Affected organisations are encouraged to review the relevant CISA advisory ICSMA-23-194-01 and BD security bulletin.

BD recommends the following mitigations and compensating controls to reduce risk associated with this vulnerability: 

  • Provide appropriate network perimeter security, such as using firewalls, or create Access Control Lists (ACL) to limit network traffic from devices to only the required ports on the required endpoints.
    • The PCU only requires access to DNS, dynamic host configuration protocol (DHCP) and SM on port 3613. The PCU does not accept unsolicited inbound traffic.
    • BD recommends segmenting BD Alaris PCUs onto a separate virtual local area network (VLAN) to further enhance the security of BD Alaris PCUs.
  • Users should control network access to the SM server image by restricting external access to only those addresses and ports indicated in Chapter 1 of the SM Virtual Machine Deployment Guide.
    • Users should apply SSL certificates from valid Certificate Authorities, per Chapter 9 of the same document.
  • Follow Chapter 1 of the Alaris System Maintenance Software User Manual to enable an authentication challenge password for network configuration changes.
  • See the Network Settings section of the Alaris System Maintenance User Manual for details on how to manage these credentials.
    • Network Settings in the Alaris System Maintenance User Manual details managing these credentials.
    • Monitor network traffic for unusual or unexpected traffic and activity. If users suspect credentials have been exposed, change credentials immediately.
  • Utilise MAC filtering on the network segment containing the BD Alaris System to restrict access to only those approved devices needed.
  • Periodically inspect BD Alaris System components to ensure running the correct software versions.
    • Use the instructions in Chapter 4 of the SM User Manual or Section 6.2.10 of the BD Alaris PCU and Pump Module Technical Service Manual to find software versions.
  • Adhere to industry security best practices regarding access control, identification and authorisation, personnel security, and physical protection of assets, as recommended by NIST SP 800-171 Rev. 2.
  • Inspect the BD Alaris System prior to use for signs of tampering as indicated in the FIPS 140-2 Compliance Instructions for BD Alaris System Products Service Manual.

Last edited: 17 July 2023 9:23 am