(I)IoT Security News
ICS, News, Vulnerabilities

BD Alaris 8015 PC Unit and BD Alaris Systems Manager

BD Alaris 8015 PC Unit and BD Alaris Systems Manager

1. EXECUTIVE SUMMARY

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to a drop in the wireless capability of the Alaris PC Unit. In order to exploit this vulnerability, an attacker would need to gain access to the network associated with the affected devices and redirect the BD Alaris PC Unit’s authentication requests with a custom code and complete an authentication handshake based on the information extracted from the authentication requests. The Alaris PC Unit will continue to function as programmed; however, network-based services such as pre-populating the Alaris PC Unit with infusion parameters through EMR Interoperability or wirelessly updating the Alaris System Guardrails (DERS) will not be available.

As a result of a successful attack, the operator may have to manually program the pump, download data logs, or activate the new data set. Exploiting this vulnerability would not provide administration access to the BD Alaris PC Unit or the BD Alaris Systems Manager. An unauthorized user would not be able to gain permissions or be able to perform remote commands for the BD Alaris PC Unit. Any Protected Health Information (PHI) or Personally Identifiable Information (PII) is encrypted.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of BD Alaris infusion products are affected:

3.2 VULNERABILITY OVERVIEW

3.2.1    IMPROPER AUTHENTICATION CWE-287

The affected products are vulnerable to a network session authentication vulnerability within the authentication process between specified versions of the BD Alaris PC Unit and the BD Alaris Systems Manager.
If exploited, an attacker could perform a denial-of-service attack on the BD Alaris PC Unit by modifying the configuration headers of data in transit. A denial-of-service attack could lead to a drop in the wireless capability of the BD Alaris PC Unit, resulting in manual operation of the PC Unit.

CVE-2020-25165 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).

3.3 BACKGROUND

3.4    RESEARCHER

Medigate discovered this vulnerability and reported it to BD.

4. MITIGATIONS

BD has provided the following mitigations and compensating controls to assist users in reducing the risks associated with this vulnerability.

As part of BD’s normal server upgrades, many of the Systems Manager installations have already been updated to a version that addresses this security vulnerability.

BD plans to release an upcoming version of the BD Alaris PC Unit software to address this vulnerability, and Versions 12.0.1, 12.0.2, 12.1.0, and 12.1.2 of the BD Alaris Systems Manager will address this vulnerability.

BD also recommends the following mitigations and compensating controls to reduce the risks associated with this vulnerability:

The combination of these actions can restrict what devices or systems can be on the segment and the types of traffic that could be used between the wireless network segment and the server segment where the Systems Manager Server is located. These controls will help to mitigate and reduce the impact of this type of attack. For additional information please see the BD product security bulletin.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

Source:

https://us-cert.cisa.gov/ics/advisories/icsma-20-317-01

Related posts

Siemens Industrial Products (Update P)

(I) IoT
4 years ago

Siemens SIMATIC, SIMOCODE, SINAMICS, SITOP, and TIM

(I) IoT
4 years ago

Cisco Firepower Threat Defense Software for Firepower 1000, 2100, 3100, and 4200 Series Static Credential Vulnerability

(I) IoT
4 weeks ago
Exit mobile version