Medical tech company Becton, Dickinson and Company (BD) has advised users of its Alaris Gateway Workstation – a smart connectivity and integration solution for infusion pump devices – to update their firmware, following the discovery of a highly critical remote code execution vulnerability.
CyberMDX researcher Elad Luz found that multiple versions of the workstation – a tower upon which multiple infusion pumps can be mounted and docked – fail to prevent the upload of malicious files during a firmware update.
An online vulnerability disclosure published by CyberMDX yesterday warns that affected devices could be exploited to accept counterfeit firmware updates "without any predicate authentication or permissions," adding that such an attack "can be carried out by anyone who gains access to the hospital's internal network. Files transferred via the update are copied straight to the internal memory and allowed to override existing files."
"An attack of this sort can allow an attacker to disable the workstation, disrupt the flow of electricity to care-critical infusion pumps, falsify pump status information (vital for the nursing staff), and in some cases even alter drug delivery," wrote Jon Rabinowitz, VP marketing at CyberMDX, in a company blog post.
Designated CVE-2019-10959, the vulnerability was assigned the highest possible CVSS v3 base score of 10.0, and was observed in Alaris Gateway Workstation versions 1.1.3 Build 10, 1.1.3 MR Build 11, 1.2 Build 15, 1.3.0 Build 14 and 1.3.1 Build 13. The GS, GH, CC and TIVA models of Alaris syringe pumps are also impacted if they use software versions 2.3.6 or below. These pumps were previously sold under the Asena brand.
In its own June 13 vulnerability disclosure, BD asserts that a successful attack on a pump's infusion parameters is a low-probability event because it depends on multiple prerequisites that collectively would be difficult to achieve.
"In order to access this vulnerability, an attacker would need to gain access to a hospital network, have intimate knowledge of the product, be able to update and manipulate a CAB file, which stores files in an archived library and utilizes a proper format for Windows CE," the advisory states. "If an attacker is able to complete those steps, they may also utilize this vulnerability to change the scope to adjust commands on the infusion pump, including adjust the infusion rate on specific mounted infusion pumps..."
A separate statement BD sent to SC Media also noted that CyberMDX "was not able to replicate the manipulation of infusion parameters, and there have been no reported exploits of this vulnerability." Furthermore, "Because the vulnerability is limited to a single BD infusion system offering (the Alaris Gateway Workstation) that is not sold in the U.S., it is important to note this disclosure does not apply to the majority of BD infusion systems."
Luz also uncovered a second, high-severity "improper access control" vulnerability, CVE-2019-10962. "The web browser user interface on the Alaris Gateway Workstation does not prevent an attacker with knowledge of the IP address of the Alaris Gateway Workstation terminal to gain access to the status and configuration information of the device," warns advisories issued by both the ICS-CERT and NIST.
Assigned a CVSS v3 base score of 7.3, the flaw is found in versions 1.0.13, 1.1.3 Build 10, 1.1.3 MR Build 11, 1.1.5 and 1.1.6.
The latest firmware releases, versions 1.3.2 and 1.6.1, are safe from the two vulnerabilities. Users are advised to update their firmware accordingly.
Per the ICS-CERT advisory, BD said users can prevent an exploit of CVE-2019-10959 by not only updating their firmware, but also blocking the SMB protocol, segregating their VLAN networks and ensuring that only appropriate associates have network access.
Meanwhile, the Department of Homeland Security's National Cybersecurity and Communications Integration Center, ISC-CERT's parent office, recommends minimizing the network exposure of medical systems and devices, placing devices behind firewalls and isolating them, adopting a least-privilege approach, and disabling unnecessary accounts, protocols and services, among other precautions.