Chemical Safety Incidents
Alaris Credentials Vulnerabilities
Wednesday, February 8, 2017 @ 02:02 PM gHale
Becton, Dickinson and Company (BD) found insufficiently protected credentials vulnerabilities in its Alaris 8015 Point of Care (PC) unit, which provides a common user interface for programming intravenous infusions, according to a report with ICS-CERT.
BD did not create a fix to address these vulnerabilities, but has issued compensating controls to help reduce the risk associated with these vulnerabilities.
The following Alaris PC unit versions suffer from the issue:
• Alaris 8015 PC unit, Version 9.5 and prior versions
• Alaris 8015 PC unit, Version 9.7
Successful exploitation of these vulnerabilities may allow an unauthorized user with physical access to an affected device to access the host facility’s wireless network authentication credentials and other sensitive technical data.
BD is a U.S.-based company that maintains offices in multiple countries around the world.
The affected product, the Alaris 8015 PC unit, is the core of the Alaris System that provides a common user interface for programming intravenous infusions. The Alaris 8015 PC unit sees action across the healthcare and public health sector. BD said the Alaris 8015 PC unit sees use on a global basis.
In one vulnerability, an unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device’s flash memory. The Alaris 8015 PC unit, Version 9.7 stores wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection.
CVE-2016-8375 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.9.
In another vulnerability, an unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device’s flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device’s removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker’s convenience.
CVE-2016-9355 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
These vulnerabilities are not remotely exploitable. No known public exploits specifically target these vulnerabilities. However, an attacker with low skill would be able to exploit these vulnerabilities.
BD has not developed a product fix to address these vulnerabilities, but has issued compensating controls to reduce the risk of exploitation. BD recommends users apply the following compensating controls:
• Alaris PC unit model 8015 users should upgrade from software Version 9.5 to the latest Alaris PC unit software in order to further reduce the associated risks, as software Version 9.7 and later versions do not store network credentials on the removable flash memory.
• For Alaris PC unit model 8015 devices Version 9.7 and later, BD has implemented Federal Information Processing Standard (FIPS) 140-2 Level 2 physical security controls, including standard tamper-evident physical seals which can end up applied to hardware to provide indication of unauthorized physical access. Users should review “FIPS 140-2 Compliance Instructions for Alaris Products” guide, pages 11-29, for information on how to enforce FIPS 140-2 level 2 physical security controls on the Alaris PC unit.
• Users should exercise diligence in implementing a physical asset management program that involves tracking and inventorying equipment, particularly for Alaris PC units that store credentials in removable flash memory.
• Users should follow procedures for clearing wireless network authentication credentials on the Alaris PC unit if the device is to be removed or transported from the facility. These procedures are outlined in the Alaris System Maintenance Software User Manual.
• Users should change wireless network authentication credentials regularly and immediately if there is evidence of unauthorized physical access to an Alaris device at their facility.
• Users should consider security policy in which wireless credentials are not configured for the Alaris PC unit if wireless networking functionality is not being utilized for operation. This will remediate these vulnerabilities for nonwireless users.
• Users may choose to implement Access Control Lists that restrict device access to specific media access control (MAC) and IP addresses, ports, protocols, and services.
• Users may choose to place Alaris PC units on an isolated network with dedicated service set identifier (SSID) to reduce the impact of compromised wireless network credentials. In all cases, security best practice prescribes frequent changing of SSID and wireless authentication credentials.
Click here for the BD security bulletin for the Alaris PC unit (PCU) model 8015.
For additional information about the identified vulnerabilities or BD’s compensating controls, contact BD’s Customer Support.