CyberMDX, a research and analysis company specializing in medical device security, on Thursday revealed that its employees identified two serious vulnerabilities in infusion therapy products from medical technology firm BD.
The flaws affect the Alaris Gateway Workstation, which is used for mounting, powering and communicating with infusion pumps. Specifically, the weaknesses impact devices running versions 1.1.3, 1.2, 1.3.0 and 1.3.1 of the firmware. The latest versions, 1.3.2 and 1.6.1, are not impacted.
Exploitation of the flaws could affect Alaris GS (no longer supported), GH, CC and TIVA infusion pumps running software version 2.3.6 and earlier. BD pointed out that version 2.3.6 was released back in 2006.
One of the vulnerabilities, tracked as CVE-2019-10959 and classified as “critical” with a CVSS score of 10, allows an attacker with network access to the targeted device to upload a malicious firmware to the Alaris Gateway Workstation.
The second security hole, tracked as CVE-2019-10962 and rated “high severity,” allows an attacker to access the web-based interface of the Alaris Gateway Workstation simply by knowing its IP address.
An attacker could exploit these vulnerabilities to brick the workstation device or manipulate communications with infusion pumps, which, in a worst case scenario, can be used to modify drug dosages or prevent the device from administering life-saving treatment, CyberMDX said.
CyberMDX told SecurityWeek that it’s not aware of any Alaris Gateway Workstation instances exposed directly to the internet and the company believes that the chances for that are extremely low.
“BD has assessed the change in scope to this vulnerability for clinical impact and concluded that although the probability of remotely exploiting the vulnerability to the Workstation and then creating a custom, executable code that impacts the delivery of a patient’s IV infusion is theoretically possible, the probability of patient harm is unlikely to occur due to the sequence of events that must occur in a specific order by a highly trained attacker. BD has had zero reports of this issue occurring from any customer sites,” BD said in its advisory.
BD has pointed out that the vulnerable products are not sold in the United States. An advisory from the DHS’s National Cybersecurity & Communications Integration Center (NCCIC) shows that the devices are mainly used in Europe and Asia.
In addition to patches, BD released some recommendations for mitigating potential attacks.