Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots.

BD Alaris Gateway Workstation Web Management Vulnerability

Vedere Labs Team (formerly CyberMDX) Discovers Web Management Vulnerability in BD Alaris Gateway Workstation (A.K.A. AGW)


ICS-CERT Advisory (ICSMA-19-164-01)

 

Risk: High. A CVSS v3 grade of 7.3 has been calculated. The CVSS vector string is CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Date Reported by Vedere Labs: October 28, 2018
ICS-CERT Advisory date: June 13, 2019

 

Summary and Vulnerability Details

CyberMDX discovered a previously undocumented vulnerability in the device, noting that the web management system doesn’t require credentials and doesn’t allow for password protection. As a result, anyone knowing the IP address of a targeted workstation can:

  • Monitor pump statuses, access event logs, and user guide
  • Change the gateway’s network configuration* (IP/subnet/WiFi/LAN)
  • Restart the gateway (after changing the configuration you are permitted to restart)

CyberMDX has tested and confirmed the presence of this vulnerability on version 1.0.13 of the device. BD (Becton, Dickinson and Company) conducted further testing and have themselves confirmed the presence of this vulnerability in device versions 1.1.3, 1.2, 1.3.0, and 1.3.1.

*

Pages under configuration include: Identification, Date & Time; changes to these values would affect timestamps of log entries and snapshots of Patient Data Management System, Alarm Settings, Wired Networking, Wireless Networking, Serial ports

 

Product background

The AGW is used for supplying power and network connection to multiple infusion and syringe pumps. The vulnerability described herein applies only to the following versions of the AGW Web Browser User Interface: 0.13; 1.3 Build 10; 1.3 MR Build 11; 1.5; 1.6

 

Attack characteristics

Per the CVSS 3.0 vulnerability scoring rubric, the follow characteristic apply:

Attack vector: Network — this attack is over TCP.
Complexity: Low — only requires to open the web management in a web browser.
Privileges Required: None  the machine does not authenticate anything.
User Interaction: None  this is done remotely with nothing needed on the user side.
Scope: Unchanged.
Confidentiality: Low
Availability: Low — one can continuously reset the device and change its IP/subnet.

 

Mitigations and Recommendations

The following mitigations and compensatory controls are recommended in order to reduce risk associated with this vulnerability:

  • Customers should utilize the latest firmware version 1.3.2 or 1.6.1
  • Customers should ensure only appropriate associates have access to their network 
  • Customers should isolate their network from untrusted systems 

 

Credit

Elad Luz, Head of Research at CyberMDX, a Forescout Company

Forescout Products

Get the capabilities you need to build a tailored security solution for your digital terrain
and continuously automate actions to reduce cyber risk.

eyeSight

Assess Your Risk: Finding Vulnerable Devices

eyeSight

eyeInspect

Identify Attacks: Detecting Ongoing Exploits

eyeInspect

eyeSegment

Protect Your Organization: Segmenting the Network

eyeSegment
Demo RequestForescout PlatformTop of Page