Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4041 Advisory (icsma-20-317-01) BD Alaris 8015 PC Unit and BD Alaris Systems Manager 13 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BD Alaris 8015 PC Unit BD Alaris Systems Manager Publisher: ICS-CERT Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-25165 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsma-20-317-01 - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Medical Advisory (ICSMA-20-317-01) BD Alaris 8015 PC Unit and BD Alaris Systems Manager Original release date: November 12, 2020 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 6.5 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: Becton, Dickinson and Company (BD) o Equipment: BD Alaris 8015 PC Unit and BD Alaris Systems Manager o Vulnerability: Improper Authentication 2. RISK EVALUATION Successful exploitation of this vulnerability could lead to a drop in the wireless capability of the Alaris PC Unit. In order to exploit this vulnerability, an attacker would need to gain access to the network associated with the affected devices and redirect the BD Alaris PC Unit's authentication requests with a custom code and complete an authentication handshake based on the information extracted from the authentication requests. The Alaris PC Unit will continue to function as programmed; however, network-based services such as pre-populating the Alaris PC Unit with infusion parameters through EMR Interoperability or wirelessly updating the Alaris System Guardrails (DERS) will not be available. As a result of a successful attack, the operator may have to manually program the pump, download data logs, or activate the new data set. Exploiting this vulnerability would not provide administration access to the BD Alaris PC Unit or the BD Alaris Systems Manager. An unauthorized user would not be able to gain permissions or be able to perform remote commands for the BD Alaris PC Unit. Any Protected Health Information (PHI) or Personally Identifiable Information (PII) is encrypted. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of BD Alaris infusion products are affected: o BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier o BD Alaris Systems Manager, Versions 4.33 and earlier 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER AUTHENTICATION CWE-287 The affected products are vulnerable to a network session authentication vulnerability within the authentication process between specified versions of the BD Alaris PC Unit and the BD Alaris Systems Manager. If exploited, an attacker could perform a denial-of-service attack on the BD Alaris PC Unit by modifying the configuration headers of data in transit. A denial-of-service attack could lead to a drop in the wireless capability of the BD Alaris PC Unit, resulting in manual operation of the PC Unit. CVE-2020-25165 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:L/A:L ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Medigate discovered this vulnerability and reported it to BD. 4. MITIGATIONS BD has provided the following mitigations and compensating controls to assist users in reducing the risks associated with this vulnerability. As part of BD's normal server upgrades, many of the Systems Manager installations have already been updated to a version that addresses this security vulnerability. BD plans to release an upcoming version of the BD Alaris PC Unit software to address this vulnerability, and Versions 12.0.1, 12.0.2, 12.1.0, and 12.1.2 of the BD Alaris Systems Manager will address this vulnerability. BD also recommends the following mitigations and compensating controls to reduce the risks associated with this vulnerability: o Enable the firewall on the Systems Manager server image and implement rules around port and services restrictions, per BD's product security whitepaper . This includes both inbound and outbound ports and services, which blocks most of the access to the server and will protect it from being affected by this vulnerability. o If a firewall is integrated between the server network segment and its wireless network segments, implement a firewall rule with an access control list (ACL) that restricts access to the wireless network segment via the specific MAC address of the wireless card on the pump. This would restrict access to the wireless segment to only authorized devices and not allow other devices to connect and authenticate to the segment. o BD Alaris Systems Manager should be considered a critical service. Whenever possible, it should operate on a secured network behind a firewall, be patched regularly, and have malware protection. o Disable any unnecessary accounts, protocols, and services. The combination of these actions can restrict what devices or systems can be on the segment and the types of traffic that could be used between the wireless network segment and the server segment where the Systems Manager Server is located. These controls will help to mitigate and reduce the impact of this type of attack.For additional information please see the BD product security bulletin . CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX63SO+NLKJtyKPYoAQjXww//brmGd7GN/xjKgoclsxSQ1sKQ5jr/Z/YI lYxWReO7bmsiwv657ybKrr97CVqYOjM0dSPx0NKB6wYjsc8xu7P94CCNdW7TtKHM MvHRiUe/ygfcltASd2MDaBE41lhm1NeWmJn/xJ3uzngo1Pufm9Xz9/bLdAeNiiCY f/7Ei++78D5xBwmKICtU19+I1eUlgsGFG9eyDPrcVHj5us1ibw+WE12GKFKw806Z AGQnYNePqzZCrCKwZP2Ek4BexNDXMABFsxGupiMXux21KJeyR1kVO1lUAV5h3cC3 65+80E7rZAI7TYA5w4WvVlOQrxAjImPIFvEK5w/aUpbqnONkXQVcVo6qCYgu+Q3u L3zMAMnV5GwqLJgksQVhn5dNefvDt/ZBceEoh+irZGSUu6eAF5E0nGMLY/xsNKy+ Qg1/GP/Fpb6O4a363pP4huhfoPg77t9jq3gds6I3mckyz4Udv7w1dm6s8FOW86bj PDc0rfntDjXPYjl+HIfUyIlxfs65sLZ6KejMxuaW7jRjg4KvyXQy3bqnEP/pYtsI k9l2rCR0lIhWwW1FwIdPP9KYD39Ak2Sq4rxQBOgtm1iSuvKGo7SRfYkIsloyjl6a 329TQ/ePFqX0DTm8e9D3CyBvumJDDJKaPyGa0TjIKmC2U4HmqI+yB8bq2u0RMXus /gSID4LnhRE= =MVPR -----END PGP SIGNATURE-----