Becton, Dickinson and Company (BD) discovered an insufficiently protected credentials vulnerability in its Alaris 8000 Point of Care (PC) unit, which provides a common user interface for programming intravenous infusions, according to a report with ICS-CERT.
BD did not develop a product fix to address this vulnerability, but issued compensating controls to help reduce the risk associated with this vulnerability.
Alaris 8000 PC unit, all versions suffer from the vulnerability.
Successful exploitation of this vulnerability may allow an unauthorized user with physical access to an affected device to access the host facility’s wireless network authentication credentials and other sensitive technical data.
BD is a U.S.-based company that maintains offices in multiple countries around the world.
The affected product, the Alaris 8000 PC unit, is the core of the Alaris System that provides a common user interface for programming intravenous infusions.
The Alaris 8000 PC unit sees use across the healthcare and public health sector. BD said the Alaris 8000 PC unit sees action on a global basis.
An unauthorized user with physical access to an Alaris 8000 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8000 PC unit and accessing the device’s flash memory. The Alaris 8000 PC unit stores wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection.
CVE-2016-8375 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.9.
This vulnerability is not remotely exploitable. While no known public exploits specifically target this vulnerability, an attacker with low skill would be able to exploit this vulnerability.
BD has not developed a product fix to address the vulnerability, but has issued compensating controls to reduce the risk of exploitation. BD recommends that users apply the following compensating controls:
• Users should exercise diligence in implementing a physical asset management program that involves tracking and inventorying equipment.
• Users should follow procedures for clearing wireless network authentication credentials on the Alaris PC unit if the device is to be removed or transported from the facility. These procedures are in the Alaris System Maintenance Software User Manual.
• Users should change wireless network authentication credentials regularly and immediately if there is evidence of unauthorized physical access to an Alaris device at their facility.
• Users should consider security policy in which wireless credentials are not configured for the Alaris PC unit if wireless networking functionality is not being utilized for operation. This will remediate this vulnerability for nonwireless users.
• Users may choose to implement Access Control Lists that restrict device access to specific media access control (MAC) and IP addresses, ports, protocols, and services.
• Users may choose to place Alaris PC units on an isolated network with dedicated service set identifier (SSID) to reduce the impact of compromised wireless network credentials. In all cases, security best practice prescribes frequent changing of SSID and wireless authentication credentials.
Click here for the BD security bulletin for the Alaris PC unit (PCU) model 8000.
For additional information about the identified vulnerability or BD’s compensating controls, please click on BD’s Customer Support.