BD Alaris Fixes Gateway Workstation

Thursday, June 13, 2019 @ 05:06 PM gHale

Becton, Dickinson and Company (BD) has mitigations and compensating controls to handle improper access control and unrestricted upload of file with dangerous type vulnerabilities in its Alaris Gateway Workstation, according to a report with NCCIC.

Exploitation of these remotely exploitable vulnerabilities, discovered by Elad Luz of CyberMDX, could allow unauthorized arbitrary code execution, which could allow an attacker to view and edit device status and configuration details as well as cause devices to become unavailable. The vendor said the affected products are not sold in the United States.

RELATED STORIES
Johnson Controls Fixes exacqVision Hole
WAGO Clears Managed Switch Holes
Siemens Clears SCALANCE X Hole
Siemens has Fix for LOGO!8 Devices

The following versions of BD’s Alaris Gateway Workstation suffer from the issues:

For the Alaris Gateway Workstation Web Browser User Interface vulnerability:
• 1.0.13
• 1.1.3 Build 10
• 1.1.3 MR Build 11
• 1.1.5
• 1.1.6

This does not impact the latest firmware Versions 1.3.2 and 1.6.1

For the Alaris Gateway Workstation Dangerous File Upload vulnerability:
• 1.1.3 Build 10
• 1.1.3 MR Build 11
• 1.2 Build 15
• 1.3.0 Build 14
• 1.3.1 Build 13

This does not impact the latest firmware Versions 1.3.2 and 1.6.1

Additionally, this notification applies to the following products using software Version 2.3.6 and below:
• Alaris GS
• Alaris GH
• Alaris CC
• Alaris TIVA

Only software versions for 2.3.6 and below are impacted. Software Version 2.3.6 was released in 2006. These pumps were previously sold under the Asena brand. This does not apply to Alaris Medley devices.

In one vulnerability, the web browser user interface on the Alaris Gateway Workstation does not prevent an attacker with knowledge of the IP address of the Alaris Gateway Workstation terminal to gain access to the status and configuration information of the device.

CVE-2019-10962 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

In addition, the application does not restrict the upload of malicious files during a firmware update.

CVE-2019-10959 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.0.

The products see use mainly in the healthcare and public health sector. They also see action in Europe and Asia.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

BD recommends the following mitigations and compensating controls in order to reduce risk associated with these vulnerabilities.

For the Alaris Gateway Workstation Web Browser User Interface vulnerability:
• BD recommends using the latest firmware, Version 1.3.2 or 1.6.1
• Users should ensure only appropriate associates have access to their network
• Users should isolate their network from untrusted systems

For the Alaris Gateway Workstation Dangerous File Upload vulnerability:
• BD recommends users block the SMB protocol
• Users should segregate their VLAN network
• Users should ensure only appropriate associates have access to the network

BD is currently assessing additional remediation efforts, including an adjustment to restrict the SMB protocol.

For more information on BD’s product security and vulnerability management, contact BD’s Product Security Office.



Leave a Reply

You must be logged in to post a comment.