Vulnerability
Advisory

CyberMDX Discovers Web Management Vulnerability in BD Alaris^TM Gateway Workstation (A.K.A. AGW)

ICS-CERT Advisory (ICSMA-19-164-01)

Risk: High. A CVSS v3 grade of 7.3 has been calculated. The CVSS vector string is CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Date Reported by CyberMDX: October 28, 2018
ICS-CERT Advisory date: June 13, 2019

Summary and Vulnerability Details

CyberMDX discovered a previously undocumented vulnerability in the device, noting that the web management system doesn’t require credentials and doesn’t allow for password protection. As a result, anyone knowing the IP address of a targeted workstation can:

• Monitor pump statuses, access event logs, and user guide
• Change the gateway’s network configuration* (IP/subnet/WiFi/LAN)
• Restart the gateway (after changing the configuration you are permitted to restart)

CyberMDX has tested and confirmed the presence of this vulnerability on version 1.0.13 of the device. BD (Becton, Dickinson and Company) conducted further testing and have themselves confirmed the presence of this vulnerability in device versions 1.1.3, 1.2, 1.3.0, and 1.3.1.

Pages under configuration include: Identification, Date & Time; changes to these values would affect timestamps of log entries and snapshots of Patient Data Management System, Alarm Settings, Wired Networking, Wireless Networking, Serial ports

Product background

The AGW is used for supplying power and network connection to multiple infusion and syringe pumps. The vulnerability described herein applies only to the following versions of the AGW Web Browser User Interface: 0.13; 1.3 Build 10; 1.3 MR Build 11; 1.5; 1.6

Attack characteristics

Per the CVSS 3.0 vulnerability scoring rubric, the follow characteristic apply:

Attack vector: Network — this attack is over TCP.
Complexity: Low — only requires to open the web management in a web browser.
Privileges Required: None — the machine does not authenticate anything.
User Interaction: None — this is done remotely with nothing needed on the user side.
Scope: Unchanged.
Confidentiality: Low
Availability: Low — one can continuously reset the device and change its IP/subnet.

Mitigations and Recommendations

The following mitigations and compensatory controls are recommended in order to reduce risk associated with this vulnerability:

• Customers should utilize the latest firmware version 1.3.2 or 1.6.1
• Customers should ensure only appropriate associates have access to their network 
• Customers should isolate their network from untrusted systems 

Credit

Elad Luz, Head of Research at CyberMDX

About CyberMDX’s Cybersecurity Research & Analysis Team 

CyberMDX’s research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The threat intelligence team works tirelessly to defend hospitals and healthcare organizations from malicious attacks. The team’s researchers, white hat hackers, and engineers collect information about possible attack paths to understand attacker motives, means, and methods in an effort to deliver the best protection possible.