Alaris™ Gateway Workstation Web Browser User Interface Lack of Authentication

United States
North America

Canada (EN)

Canada (FR)

United States

South America

América Latina (ES)

América Latina (PT)
Europe

Belgique

België

Česká republika

Deutschland

España

France

Israel

Italia

Nederland

Nordics

Österreich

Polska

Schweiz

United Kingdom
Middle East, North Africa, Turkey

Middle East, North Africa, Turkey

South Africa

Asia Pacific

Australia & New Zealand

中国

Greater Asia

India

日本

대한민국

Southeast Asia
Login

true

Bulletin and Patches

Jun 13, 2019

Bulletins

HIGH

This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs).

It applies to products that are actively supported. These products are not sold or used in the United States.

BD has established a routine practice of seeking, communicating, and addressing cybersecurity issues in products in a timely fashion. Voluntary vulnerability disclosure is an essential component to BD’s approach to transparency by enabling customers to properly manage risk through awareness and guidance.

This notification provides product security information and recommendations related to a security vulnerability found within specified versions of Alaris™ Gateway Workstation. The contents of this notification will be disclosed publicly on the BD Product Security website (http://www.bd.com/productsecurity) and is voluntary reported by BD to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the National Health Information Sharing and Analysis Center (NH-ISAC).

This notification applies to the Alaris™ Gateway Workstation products:

Alaris Gateway Workstation Web Browser User Interface, a web-based application, for the following versions only:
- 1.0.13
- 1.1.3 Build 10
- 1.1.3 MR Build 11
- 1.1.5
- 1.1.6

This product is not sold or used in the United States, and there have been no reported exploits of this vulnerability.

This does not impact the latest firmware version 1.3.2 nor version 1.6.1.

BD has been made aware of a potential vulnerability that can impact Web Browser User Interface on the Alaris™ Gateway Workstation, standalone configuration only. If exploited, this vulnerability may allow an attacker with knowledge of the IP address of the Alaris Gateway Workstation terminal to gain access to the following information on the Web Browser User Interface:

Monitoring
Event Logs
User Guide
Configuration
Note: Monitoring, Event Logs and User Guide have read-only access. Pages under configuration offer the ability to modify parameters.

By default, no patient information is stored on the Web Browser User Interface.

Configuration Details

Additionally, an attack may be able to change the Workstation’s network configuration and restart the Workstation.

Pages under configuration include:

Identification
Date & Time; changes to these values would affect timestamps of log entries and snapshots of Patient Data Management System
Alarm Settings
Wired Networking
Wireless Networking
Note: This only applies to option 03 Alaris Gateway Workstations which utilize Wi-Fi adapters. This accounts for a small percentage of legacy devices.
Serial ports

Select information may also be viewed as plain text through the portal.xml interface.

CyberMDX, a security vendor, originally made BD aware of this vulnerability to the Alaris™ Gateway Workstation.

This vulnerability does not have a direct impact on any mounted infusion pump functionality or performance as this is a web-based application utilized for only the aggregation of data.

BD has conducted internal risk assessments for this vulnerability and has also collaborated with the U.S. Department of Homeland Security (DHS) and independent security researchers to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within an organization that uses the Alaris™ Gateway Workstation.

7.3 (High) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Rationale: A malicious attacker would need to gain access to the hospital’s internal network (at minimum, acquiring an IP on the subnet) for this attack to be successful. For this reason, we anticipate the attacker to have elevated privileges, however the Web Browser User Interface does not require authentication and therefore privileges are not required. A successful attack would involve compromise of system integrity, due to the risk of modification of network settings, and system/data availability, if an attacker pushes the Workstation into a reboot cycle. Pump information, such as model information and software version, is not deemed to be sensitive data, however data confidentiality is impacted as status, logging, network and configuration information are viewable and offer the ability to modify parameters.

BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability:

BD recommends customers utilize the latest firmware version 1.3.2 or 1.6.1
Customers should ensure only appropriate associates have access to their network
BD recommends customers isolate their network from untrusted systems

Last BD Publication Update: 06/13/2019
Original BD Publication Date: 06/13/2019

For More Information

For more information on BD’s proactive approach to product security and vulnerability management, contact our Product Security Office: http://www.bd.com/productsecurity

June 2019
Product Security Bulletin for Alaris™ Gateway Workstation

BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.

BD
Franklin Lakes, NJ
07417
United States

true