Risk: High. A CVSS v3 grade of 10.0 (critical) has been calculated. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Date Reported by CyberMDX: October 28, 2018
ICS-CERT Advisory date: June 13, 2019
CyberMDX discovered a previously undocumented vulnerability in the device, noting that the AlarisTM Gateway workstation supports a firmware upgrade that can be executed without any predicate authentication or permissions. Conducting a counterfeit version of this upgrade can allow bad actors a route to “authenticate” malicious content.
This exploit can be carried out by anyone who gains access to the hospital’s internal network. Files transferred via the update are copied straight to the internal memory and allowed to override existing files.
This notification applies to the AlarisTM Gateway Workstation, with the following versions only:
Additionally, this notification applies to the following products, with software version 2.3.6 and below:
The AGW is used for supplying power and network connection to multiple infusion and syringe pumps. The device runs WinCE and can run standard .NET executables.
Per the CVSS 3.0 vulnerability scoring rubric, the follow characteristic apply:
Attack vector: Network — This attack is over TCP.
Complexity: Low* — one could craft a malicious update file and upload it to the device with no authentication needed.
Privileges Required: None — the machine does not authenticate anything.
User Interaction: None — this is done remotely with nothing needed on the user side.
Scope: Changed** — After running code on the device one can directly interact with the pumps, and some of them support a remote control.
Confidentiality/Integrity/Availability: High*** — Once running code on the machine, one can have access to all of its information, permanently disabling it, report false info and more.
While there is some degree of skill required for CAB file modification, this vulnerability was ranked low in terms of attack complexity due to the lack of any authentication barriers on the path to exploitation.
The scope can change to affect specific versions of mounted infusion pumps outside the perimeter of the AGW.
High impacts to system and data integrity and availability exist as complete or partial disabling of the gateway is possible.
This vulnerability can also compromise operational integrity and data security in the following ways:
The following mitigations and compensatory controls are recommended in order to reduce risk associated with this vulnerability:
BD is currently assessing additionally remediation efforts, including removing the ability of the SMB protocol. Further details will be provided within 60 days of this original update.
Elad Luz, Head of Research at CyberMDX
CyberMDX’s research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The threat intelligence team works tirelessly to defend hospitals and healthcare organizations from malicious attacks. The team’s researchers, white hat hackers, and engineers collect information about possible attack paths to understand attacker motives, means, and methods in an effort to deliver the best protection possible.