Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

         Advisory (icsma-20-317-01) BD Alaris 8015 PC Unit and BD
                          Alaris Systems Manager
                             13 November 2020


        AusCERT Security Bulletin Summary

Product:           BD Alaris 8015 PC Unit
                   BD Alaris Systems Manager
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-25165  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS Medical Advisory (ICSMA-20-317-01)

BD Alaris 8015 PC Unit and BD Alaris Systems Manager

Original release date: November 12, 2020

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are
provided"as is" for informational purposes only. The Department of Homeland
Security (DHS) does not provide any warranties of any kind regarding any
information contained within. DHS does not endorse any commercial product or
service, referenced in this product or otherwise. Further dissemination of this
product is governed by the Traffic Light Protocol (TLP) marking in the header.
For more information about TLP, see https://us-cert.cisa.gov/tlp/ .


  o CVSS v3 6.5
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Becton, Dickinson and Company (BD)
  o Equipment: BD Alaris 8015 PC Unit and BD Alaris Systems Manager
  o Vulnerability: Improper Authentication


Successful exploitation of this vulnerability could lead to a drop in the
wireless capability of the Alaris PC Unit. In order to exploit this
vulnerability, an attacker would need to gain access to the network associated
with the affected devices and redirect the BD Alaris PC Unit's authentication
requests with a custom code and complete an authentication handshake based on
the information extracted from the authentication requests. The Alaris PC Unit
will continue to function as programmed; however, network-based services such
as pre-populating the Alaris PC Unit with infusion parameters through EMR
Interoperability or wirelessly updating the Alaris System Guardrails (DERS)
will not be available.

As a result of a successful attack, the operator may have to manually program
the pump, download data logs, or activate the new data set. Exploiting this
vulnerability would not provide administration access to the BD Alaris PC Unit
or the BD Alaris Systems Manager. An unauthorized user would not be able to
gain permissions or be able to perform remote commands for the BD Alaris PC
Unit. Any Protected Health Information (PHI) or Personally Identifiable
Information (PII) is encrypted.



The following versions of BD Alaris infusion products are affected:

  o BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier
  o BD Alaris Systems Manager, Versions 4.33 and earlier



The affected products are vulnerable to a network session authentication
vulnerability within the authentication process between specified versions of
the BD Alaris PC Unit and the BD Alaris Systems Manager.
If exploited, an attacker could perform a denial-of-service attack on the BD
Alaris PC Unit by modifying the configuration headers of data in transit. A
denial-of-service attack could lead to a drop in the wireless capability of the
BD Alaris PC Unit, resulting in manual operation of the PC Unit.

CVE-2020-25165 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:L/A:L ).


  o CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health


Medigate discovered this vulnerability and reported it to BD.


BD has provided the following mitigations and compensating controls to assist
users in reducing the risks associated with this vulnerability.

As part of BD's normal server upgrades, many of the Systems Manager
installations have already been updated to a version that addresses this
security vulnerability.

BD plans to release an upcoming version of the BD Alaris PC Unit software to
address this vulnerability, and Versions 12.0.1, 12.0.2, 12.1.0, and 12.1.2 of
the BD Alaris Systems Manager will address this vulnerability.

BD also recommends the following mitigations and compensating controls to
reduce the risks associated with this vulnerability:

  o Enable the firewall on the Systems Manager server image and implement rules
    around port and services restrictions, per BD's product security whitepaper
    . This includes both inbound and outbound ports and services, which blocks
    most of the access to the server and will protect it from being affected by
    this vulnerability.
  o If a firewall is integrated between the server network segment and its
    wireless network segments, implement a firewall rule with an access control
    list (ACL) that restricts access to the wireless network segment via the
    specific MAC address of the wireless card on the pump. This would restrict
    access to the wireless segment to only authorized devices and not allow
    other devices to connect and authenticate to the segment.
  o BD Alaris Systems Manager should be considered a critical service. Whenever
    possible, it should operate on a secured network behind a firewall, be
    patched regularly, and have malware protection.
  o Disable any unnecessary accounts, protocols, and services.

The combination of these actions can restrict what devices or systems can be on
the segment and the types of traffic that could be used between the wireless
network segment and the server segment where the Systems Manager Server is
located. These controls will help to mitigate and reduce the impact of this
type of attack.For additional information please see the BD product security
bulletin .

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.cisa.gov . Several recommended practices are
available for reading and download, including Improving Industrial Control
Systems Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target this vulnerability.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967