Becton, Dickinson and Company (BD) has mitigations in place to handle an improper authentication in its Alaris GS, Alaris GH, Alaris CC, and Alaris TIVA, according to a report with NCCIC.
Successful exploitation of this remotely exploitable vulnerability, discovered by Elad Luz of CyberMDX, may allow a remote attacker to gain unauthorized access to various Alaris Syringe pumps and impact the intended operation of the pump when it is connected to a terminal server via the serial port. BD has determined the affected products are not sold within the United States.
The following versions of Alaris Plus, medical syringe pumps, Versions 2.3.6 and prior, suffer from the vulnerability:
• Alaris GS
• Alaris GH
• Alaris CC
• Alaris TIVA
In the vulnerability, the software does not perform authentication for functionality that requires a provable user identity.
CVE-2018-14786 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.4.
The product sees use mainly in the healthcare and public health sectors. The product sees action in the European Union.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
BD said this vulnerability cannot be performed if the device is connected to an Alaris Gateway Workstation docking station. Also, an attacker cannot switch the device on remotely, and no PHI or PII can be accessed by exploiting this vulnerability.
BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability:
• This attack utilizes a known vulnerability in terminal servers. Users who utilize terminal servers should understand that terminal server use is not supported.
• Users should ensure they are operating these devices in a segmented network environment or as a stand-alone device.
• Users should utilize connections via the Alaris Gateway Workstation docking station, which would inactivate the remote control feature.
For more information on BD’s product security and vulnerability management, contact their product security office.