Last updated: August 09, 2022

Original Publication: October 01, 2019

BD has assessed eight reported vulnerabilities that impact VxWorks, a real-time operating system (RTOS) from third-party vendor Wind River Systems, and three vulnerabilities that impact connected devices leveraging the Interpeak IPnet standalone TCP/IP networking stack associated with VxWorks. These vulnerabilities are not exclusive to BD, or medical devices that use VxWorks or the Interpeak IPnet standalone TCP/IP networking stack. BD is providing this update to educate customers on which BD products and under what conditions their devices could be affected by this third-party vulnerability

There have been no reported exploits of the BD Alaris™ PC Unit or any BD products associated with the vulnerabilities in this third-party software.

BEGIN UPDATE A: Aug 09, 2022

Remediation

BD has released the following Alaris™ PC Unit software, which addresses CVE-2019-12255 and CVE-2019-12264, also known as “Urgent 11:”

• Alaris™ PC Unit Software Versions 12.1.0 and newer

BD recommends that customers update to Alaris™ PC Unit versions 12.1.1 or newer, where available based on regulatory authorization. For assistance scheduling the remediation, customers should contact their BD Sales Representative.

END UPDATE A: Aug 09, 2022

The Alaris™ PC Unit is potentially affected by two of the three reported vulnerabilities in the Interpeak IPnet standalone TCP/IP networking stack, specifically, CVE-2019-12255 and CVE-2019-12264.

• CVE-2019-12255: TCP Urgent Pointer = 0 leads to integer underflow
  • To exploit this vulnerability on an Alaris™ PC Unit, an attacker would have to gain access to the customer network, identify the IP address of the Alaris™ PC Unit, redirect traffic from the Alaris™ PC Unit’s server connection to itself (spoofing) and then send malicious packets to the Alaris™ PC Unit. A successful attack may result in an error with the Alaris™ PC Unit, signaling a highly detectable alarm and locking the keyboard. The Alaris System was designed to fail safely allowing the infusions to continue when a PCU error occurs. Additionally, a theoretical pathway could result in an unauthorized change to patient therapy. An attacker would need to follow the series of steps above, in addition to six other advanced sequence of events, and also understand internal proprietary architecture of the Alaris PC Unit to result in an authorized change to patient therapy. BD engineers that are experts on the device and its system architecture have not been able to reproduce this theoretical vulnerability.

• CVE-2019-12264: Logical flaw in IPv4 assignment by the ipdhcpc Dynamic Host Configuration Protocol (DHCP) client
  • To exploit this vulnerability and assign the Alaris™ PC unit with an invalid IP address, an attacker would need to gain access to the customer network, monitor the DHCP requests from the Alaris™ PC Unit, send spoofed DHCP response with an invalid IP address, which may lead to a denial of service in the wireless capability of the Alaris™ PC Unit. The Alaris™ PC Unit will continue to function as expected; however network based services such as interoperability will not be available.

A third vulnerability, CVE-2019-12262, does not affect the Alaris PC Unit, as BD specific configurations for the Alaris™ PC Unit does not use this functionality.

Note: These vulnerabilities have been assessed using the Common Vulnerability Scoring System (CVSS) version 3.0 ( https://www.first.org/cvss/) by Wind River Systems

• CVE-2019-12255: CVSS 9.8 (high) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/
• CVE-2019-12264: CVSS 7.1 (medium) CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.