Medical Device Maker Flags 8 Flaws in Drug Infusion ProductsBD and CISA Say Data and Devices Are at Risk From an Alaris System Vulnerability
Federal regulators and medical device maker Becton, Dickinson and Co. are warning about eight vulnerabilities that could allow an attacker to compromise BD's medication infusion product suite, potentially putting data and device integrity at risk if exploited.
The device manufacturer in a bulletin Thursday said it had discovered the eight vulnerabilities in its BD Alaris Guardrails Suite MX, which affect versions 12.1.3 and earlier, through routine internal security testing and had reported them to federal regulators.
The testing program is part of BD's software development life cycle process, which includes vulnerability scanning, code analysis, threat modeling and penetration testing, the company said.
BD reported the issues to the Food and Drug Administration, the Cybersecurity and Infrastructure Security Agency, and industry information-sharing and analysis organizations. CISA on Thursday issued an advisory about the vulnerabilities.
To date, there have been no reports of the vulnerabilities being exploited, the company said.
BD said it had performed risk assessments on all eight vulnerabilities and determined the product's existing control measures reduce the probability of harm. It said the residual risk is considered acceptable. "Remediation and deployment planning for these vulnerabilities is currently in progress," the company said.
CISA in its advisory said the BD product vulnerabilities have a "low attack complexity" and that successful exploitation could allow a malicious actor to compromise sensitive data, hijack a session, modify firmware and make changes to system configurations.
The highest-severity vulnerability of the eight is an "improper neutralization of input during web page generation" - or cross-site scripting - flaw. The vulnerability, if exploited, could allow a malicious file to be uploaded into the BD Alaris Systems Manager user import function resulting in a hijacked session. The flaw is tracked as CVE-2023-30563 and has a CVSS v3 base score of 8.2, CISA said.
A second cross-site scripting vulnerability, CVE-2023-30564, which has a CVSS v3 base score of 6.9, involves the Alaris Systems Manager not performing input validation during the device import function, CISA said.
The other six vulnerabilities identified are:
- CVE-2023-30560: This improper authentication flaw affects the BD Alaris Point-of-Care Unit Model 8015 v12.1.3 and prior. If exploited, the flaw can allow the configuration from the PCU to be modified without authentication using physical connection to the PCU. It has a CVSS v3 base score of 6.8.
- CVE-2023-30561: This flaw involves missing encryption of sensitive data. It affects BD Alaris Point-of-Care Unit Model 8015 v12.1.3 and prior. The data flowing between the PCU and its modules is unencrypted, which could allow a threat actor with physical access to read or modify data by attaching a specially crafted device while an infusion is running. It has a CVSS v3 base score of 6.1.
- CVE-2023-30559: This improper input validation flaw affects BD Alaris Point-of-Care Unit Model 8015 v12.1.3 and prior. The firmware update package for the wireless card is not properly signed and can be modified. It has a CVSS v3 base score of 5.2.
- CVE-2023-30562: This insufficient verification of data authenticity flaw affects BD Alaris Guardrails Editor v12.1.2 and prior. It could allow the GRE dataset file within the systems manager to be tampered with and distributed to the PCUs and has a CVSS v3 base score of 6.7.
- CVE-2023-30565: This cleartext transmission of sensitive information flaw involves an insecure connection between the Alaris Systems Manager and CQI Reporter v10.17 application, which could expose infusion data to an attacker. It has a CVSS v3 base score of 3.5.
- CVE-2018-1285: This improper restriction of HML external entity reference flaw involves a lack of input validation within Apache Log4Net due to an outdated software version. It could allow a threat actor to execute malicious commands and has a CVSS v3 base score of 3.0.
To help reduce risk involving the vulnerabilities, BD recommends that clients implement certain mitigations and compensating controls.
That includes using appropriate network perimeter security, such as firewalls; rotating Wi-Fi network credentials; periodically inspecting BD Alaris System components to confirm they are running the updated versions of software; and implementing security best practices recommended by the National Institute of Standards and Technology, including access control, identification and authorization, and physical asset protection.
While BD for several years has been among the more proactive device manufacturers and has participated in coordinated vulnerability disclosure when issues are identified in its products, federal regulators are raising the cybersecurity bar for all medical device makers.
Under a new FDA "refuse to accept" policy going into effect Oct. 1, the agency will reject premarket submissions for new medical devices that don't detail cybersecurity measures. Device makers will be required to submit a plan to address postmarket vulnerabilities and a method for coordinated disclosures of exploits (see: FDA Will Begin Rejecting Medical Devices Over Cyber Soon).