Bulletins
MEDIUM
Last updated: August 09, 2022
Original Publication: November 12, 2020
This notification is voluntarily reported by BD to the U.S. Department of Homeland Security (DHS) and the U.S. Food and Drug Administration (FDA).
This product security bulletin is not related to the BD Alaris™ System recall notifications issued earlier this year.
This notification provides product security information and recommendations related to a security vulnerability found within specified versions of the BD Alaris™ PC Unit and the BD Alaris™ Systems Manager. For maximum awareness, BD also voluntarily reported the contents of this bulletin to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the DHS Cybersecurity and Infrastructure Security Agency (formerly Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the Health Information Sharing and Analysis Center (H-ISAC).
BEGIN UPDATE B: Aug 09, 2022
Remediation
BD has released the following Alaris™ PC Unit software, which addresses CVE-2020-25165:
- Alaris™ PC Unit 8015 with Software Versions 12.1.1 and newer
BD recommends that customers update to Alaris™ PC Unit versions 12.1.1 or newer, where available based on regulatory authorization. For assistance scheduling the remediation, customers should contact their BD Sales Representative.
END UPDATE B: Aug 09, 2022
This notification applies to the following BD Alaris™ products:
- BD Alaris™ PC Unit, Model 8015, versions 9.33.1 and earlier; and
- BD Alaris™ Systems Manager, versions 4.33 and earlier
BD has been made aware of a network session vulnerability within the authentication process between specified versions of the BD Alaris™ PC Unit and the BD Alaris™ Systems Manager. If exploited, this vulnerability could allow an unauthorized user to establish a direct networking session between the two products.
BD has received no reports of exploits related to this vulnerability.
In order to exploit this vulnerability an unauthorized user would need access to the customer's wireless network, redirect the BD Alaris™ PC Unit's authentication requests with a custom code, and complete an authentication handshake based on the information extracted from the authentication requests.
If exploited, an unauthorized user could perform a denial of service attack on the BD Alaris™ PC Unit by modifying the configuration headers of data in transit. A denial of service attack could lead to a drop in the wireless capability of the BD Alaris™ PC Unit, resulting in manual operation of the PC Unit.
This vulnerability was reported to BD by security vendor Medigate.
Based on the risk evaluation for this vulnerability, the authentication process between BD Alaris™ PC Unit and Alaris™ Systems Manager is considered a low controlled risk with medium Common Vulnerability Scoring System (CVSS) severity. There is no documented evidence that this vulnerability has been exploited.
If a denial of service attack were successful, it could lead to a drop in the wireless capability of the Alaris™ PC Unit. The Alaris™ PC Unit will continue to function as programmed; however, network-based services such as pre-populating the Alaris™ PC Unit with infusion parameters through EMR Interoperability or wirelessly updating the Alaris™ System Guardrails™ (DERS) will not be available. The following includes a list of potential impact, and actions that should be taken should the vulnerability be exploited and an attack occurs:
| Impact | Mitigation |
| Inability to pre-populate the Alaris™ PC Unit with infusion parameters through EMR interoperability | After the operator scans the patient’s wristband, the drug label, and the pump, the EMR will register that the infusion parameters were not delivered to the pump. The operator will then manually program the pump per their training. The pump will continue to have Alaris™ Guardrails™ dose error reduction software (DERS) regardless of wireless connectivity. |
| Inability to wirelessly send Alaris™ PC Unit data (such as log information) | When connectivity is restored, the data logs are downloaded to the server. In addition, data logs can be manually downloaded. |
| Inability to wirelessly send a new Guardrails™ data set to the Alaris™ PC Unit | During a loss of wireless connectivity, new Guardrails™ data sets can be manually uploaded to the PC Unit or will be uploaded whenever the wireless connection is reset. Whether manually or wirelessly uploaded, a new data set must be manually activated on a PC Unit while the pump is idle (not infusing). The pump will continue to have Alaris™ Guardrails™ (DERS) regardless of wireless connectivity. |
Exploiting this vulnerability would not provide administration access to the BD Alaris™ PC Unit or the BD Alaris™ Systems Manager. An unauthorized user would not be able to gain permissions or be able to perform remote commands for the BD Alaris™ PC Unit. Any Protected Health Information (PHI) or Personally Identifiable Information (PII) is encrypted.
BD has conducted internal risk assessments for this vulnerability and has also collaborated with the U.S. Department of Homeland Security (DHS) to review the baseline Common Vulnerability Scoring System (CVSS) score as outlined below. This vulnerability score can be used in assessing risk within your own organization.
6.5 (medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Accessibility to the same network that the device is connected to, for example the local Wi-Fi, is a prerequisite for an attack to occur. Specialized access conditions and/or extenuating circumstances are not needed; therefore, the attack complexity is low. No user privileges or interaction are required to exploit this vulnerability. The scope of a potential attack remains unchanged and this vulnerability has no impact on the confidentiality, and a low impact on integrity of the message header information. This vulnerability could have a low impact on the availability between the pumps and the customer’s wireless network.
- BD is addressing this vulnerability through two parts:
- An upcoming version of the BD Alaris™ PC Unit software, and
- BD Alaris™ Systems Manager v12.0.1, v12.0.2, v12.1.0, and v 12.1.2
- As part of our normal server upgrades, over 60% of Systems Manager installations have already been updated to a version that addresses this security vulnerability.
- BD recommends the following mitigations and compensating controls to help our customers reduce the risks associated with this third-party vulnerability:
- Customers could enable the firewall on the Systems Manager server image and implement rules around port and services restrictions, per the product security whitepaper. This includes both inbound and outbound ports and services, which blocks most of the access to the server and will protect it from being affected by this vulnerability.
- If the customer employs a firewall between the server network segment and its wireless network segments, the customer can implement a firewall rule with an Access Control List or ACL which restricts access to the wireless network segment via the specific MAC address of the wireless card on the pump. This would restrict access to the wireless segment to just authorized devices and not allow other devices to connect and authenticate to the segment.
- BD Alaris™ Systems Manager should be considered a critical service. Whenever possible, it should operate on a secured network behind a firewall, it should be patched regularly, and should have malware protection.
- Disable any unnecessary accounts, protocols and services
- The combination of these actions can restrict what devices or systems can be on the segment and the types of traffic that could be used between the wireless network segment and the server segment where the Systems Manager Server is located. These controls will help to mitigate and reduce the impact of this type of attack from occurring.
For more information on BD’s proactive approach to product security and vulnerability management, contact our Product Security Office:
https://www.bd.com/productsecurity
November 2020
Product Security Bulletin for BD Alaris™ PC Unit 8015 and BD Alaris™ Systems Manager
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.