Risk: High. A CVSS v3 grade of 7.3 has been calculated. The CVSS vector string is CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Date Reported by CyberMDX: October 28, 2018
ICS-CERT Advisory date: June 13, 2019
CyberMDX discovered a previously undocumented vulnerability in the device, noting that the web management system doesn't require credentials and doesn't allow for password protection. As a result, anyone knowing the IP address of a targeted workstation can:
CyberMDX has tested and confirmed the presence of this vulnerability on version 1.0.13 of the device. BD (Becton, Dickinson and Company) conducted further testing and have themselves confirmed the presence of this vulnerability in device versions 1.1.3, 1.2, 1.3.0, and 1.3.1.
Pages under configuration include: Identification, Date & Time; changes to these values would affect timestamps of log entries and snapshots of Patient Data Management System, Alarm Settings, Wired Networking, Wireless Networking, Serial ports
The AGW is used for supplying power and network connection to multiple infusion and syringe pumps. The vulnerability described herein applies only to the following versions of the AGW Web Browser User Interface: 0.13; 1.3 Build 10; 1.3 MR Build 11; 1.5; 1.6
Per the CVSS 3.0 vulnerability scoring rubric, the follow characteristic apply:
Attack vector: Network — this attack is over TCP.
Complexity: Low — only requires to open the web management in a web browser.
Privileges Required: None — the machine does not authenticate anything.
User Interaction: None — this is done remotely with nothing needed on the user side.
Availability: Low — one can continuously reset the device and change its IP/subnet.
The following mitigations and compensatory controls are recommended in order to reduce risk associated with this vulnerability:
Elad Luz, Head of Research at CyberMDX
CyberMDX’s research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The threat intelligence team works tirelessly to defend hospitals and healthcare organizations from malicious attacks. The team’s researchers, white hat hackers, and engineers collect information about possible attack paths to understand attacker motives, means, and methods in an effort to deliver the best protection possible.
A leading provider of medical cybersecurity, CyberMDX delivers zero-touch visibility and threat prevention for medical devices and clinical assets. Focusing on scalibility and ease of use, CyberMDX offers a network and endpoint security solution designed specifically for the needs of hospitals — ensuring operational continuity as well as patient and data safety. For more information, click here.