Certain BD Alaris Plus medical syringe pumps have been found to contain a critical remotely exploitable vulnerability which can be exploited flaw when the devices are connected to a terminal server via the serial port. If exploited, a threat actor could alter the intended function of the pumps. The flaw is an improper authentication vulnerability. The software fails to perform proper authentication for functionality that requires a provable user identity.
Elad Luz of CyberMDX identified the flaw and notified Becton, Dickinson and Company (BD). BD voluntarily reported the flaw to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the National Cybersecurity & Communications Integration Center. The former issued an advisory regarding the vulnerability on August 23, 2018.
Alaris Plus medical syringe pumps (version 2.3.6 of and prior versions) are affected, specifically Alaris GS, Alaris GH, Alaris CC, and Alaris TIVA. The flaw has an assigned a CVSS v3 score of 9.4 out of 10 and is being tracked as CVE-2018-147.
BD explained that the vulnerability does not affect any products that are marketed in the United States or those that are currently being sold. Vulnerable devices were formerly sold in the European Union.
A threat actor cannot exploit the vulnerability while the device is connected to the Alaris Gateway Workstation docking station because the remote-control feature is disabled when the device is connected to the docking station. In case the device is not switched on it cannot be turned on remotely. BD also noted that when exploiting the flaw, PII or PHI could not be accessed.
BD explained that an attack employs a known vulnerability in terminal servers. Using a device with terminal servers is not supported. To minimize the possibility for the flaw to be exploited, all users have been cautioned to use the affected pumps as stand-alone devices or alternatively they ought to be deployed in a segmented network environment.
The ICS-CERT bulletin states that threat actors with a low level of skill can exploit the vulnerability. But according to BD, in order to carry out an attack, the following conditions must be satisfied:
- the affected device must be connected to a terminal server via a serial port
- the attacker must understand the device communication protocol
- the attacker has access to specific driver software to implement the pump protocol communication
- the attacker can penetrate a customer network and access the terminal server devices
BD said that because these events are necessary to exploit the vulnerability, the probability of an unauthorized breach that impacts the delivery of a patient’s IV infusion is negligible.