BD-Alaris-Gateway-Workstation-alt-3

Vulnerability Research & Disclosures


 

CyberMDX Discovers Firmware Vulnerability in BD AlarisTM Gateway Workstation (A.K.A. AGW)

ICS-CERT Advisory CVE-2019-10959

 

Risk: High. A CVSS v3 grade of 10.0 (critical) has been calculated. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Date Reported by CyberMDX: October 28, 2018
ICS-CERT Advisory date: June 13, 2019

 

Summary

CyberMDX discovered a previously undocumented vulnerability in the device, noting that the AlarisTM Gateway workstation supports a firmware upgrade that can be executed without any predicate authentication or permissions. Conducting a counterfeit version of this upgrade can allow bad actors a route to "authenticate" malicious content.

This exploit can be carried out by anyone who gains access to the hospital’s internal network. Files transferred via the update are copied straight to the internal memory and allowed to override existing files.

Vulnerability Details

This notification applies to the AlarisTM Gateway Workstation, with the following versions only:

  • 1.3 Build 10
  • 1.3 MR Build 11
  • 2 Build 15
  • 3.0 Build 14
  • 3.1 Build 13

Additionally, this notification applies to the following products, with software version 2.3.6 and below:

  • AlarisTM GS (not actively supported)
  • AlarisTM GH
  • AlarisTM CC
  • AlarisTM TIVA

Product background

The AGW is used for supplying power and network connection to multiple infusion and syringe pumps. The device runs WinCE and can run standard .NET executables.

 

Attack characteristics

Per the CVSS 3.0 vulnerability scoring rubric, the follow characteristic apply:

Attack vector: Network  This attack is over TCP.
Complexity: Low* — one could craft a malicious update file and upload it to the device with no authentication needed.
Privileges Required: None  the machine does not authenticate anything.
User Interaction: None  this is done remotely with nothing needed on the user side.
Scope: Changed**  After running code on the device one can directly interact with the pumps, and some of them support a remote control.
Confidentiality/Integrity/Availability: High***  Once running code on the machine, one can have access to all of its information, permanently disabling it, report false info and more.

*

While there is some degree of skill required for CAB file modification, this vulnerability was ranked low in terms of attack complexity due to the lack of any authentication barriers on the path to exploitation.

**

The scope can change to affect specific versions of mounted infusion pumps outside the perimeter of the AGW.

***

High impacts to system and data integrity and availability exist as complete or partial disabling of the gateway is possible. 

 

Other security ramifications 

This vulnerability can also compromise operational integrity and data security in the following ways: 

  1. Machine bricking. The machine will need to get back to the factory for a repair, restarting won't help.
  2. Planting a malicious agent as a base for network attack.
  3. Reporting false status from the pumps.
  4. In the event that the pumps connected to the gateway are among the AlarisTM GS, AlarisTM GH, AlarisTM CC, and AlarisTM TIVA models, an attacker can communicate directly with the device to (remotely) alter the infusion rate as well as start and stop commands, etc.

Mitigation recommendations

The following mitigations and compensatory controls are recommended in order to reduce risk associated with this vulnerability:

  • Contact vendor to update the device firmware to the latest version
  • Block the SMB protocol
  • Review the composition of the VLAN to which the device belongs, apply best practices for microsegmentation and corresponding security policies
  • Ensure that only authorized personnel have access to the network

BD is currently assessing additionally remediation efforts, including removing the ability of the SMB protocol. Further details will be provided within 60 days of this original update.

 


Credit

Elad Luz, Head of Research at CyberMDX

About CyberMDX’s Cybersecurity Research & Analysis Team 

CyberMDX’s research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The threat intelligence team works tirelessly to defend hospitals and healthcare organizations from malicious attacks. The team’s researchers, white hat hackers, and engineers collect information about possible attack paths to understand attacker motives, means, and methods in an effort to deliver the best protection possible. 

About CyberMDX

A leading provider of medical cybersecurity, CyberMDX delivers zero-touch visibility and threat prevention for medical devices and clinical assets. Focusing on scalibility and ease of use, CyberMDX offers a network and endpoint security solution designed specifically for the needs of hospitals ensuring operational continuity as well as patient and data safety.