BD Alaris 8015 PC Unit and BD Alaris Systems Manager

Risk Summary

Successful exploitation of this vulnerability could lead to a drop in the wireless capability of the Alaris PC Unit. In order to exploit this vulnerability, an attacker would need to gain access to the network associated with the affected devices and redirect the BD Alaris PC Unit 's authentication requests with a custom code and complete an authentication handshake based on the information extracted from the authentication requests. The Alaris PC Unit will continue to function as programmed; however, network-based services such as pre-populating the Alaris PC Unit with infusion parameters through EMR Interoperability or wirelessly updating the Alaris System Guardrails (DERS) will not be available.

CVEs (1)

Remediations

• BD has provided the following mitigations and compensating controls to assist users in reducing the risks associated with this vulnerability.
• As part of BD's normal server upgrades, many of the Systems Manager installations have already been updated to a version that addresses this security vulnerability.
• BD plans to release an upcoming version of the BD Alaris PC Unit software to address this vulnerability, and Versions 12.0.1, 12.0.2, 12.1.0, and 12.1.2 of the BD Alaris Systems Manager will address this vulnerability.
• BD also recommends the following mitigations and compensating controls to reduce the risks associated with this vulnerability:
• The combination of these actions can restrict what devices or systems can be on the segment and the types of traffic that could be used between the wireless network segment and the server segment where the Systems Manager Server is located. These controls will help to mitigate and reduce the impact of this type of attack.For additional information please see the BD product security bulletin.

Affected Vendors

Affected Products (2)

Affected Sectors

Healthcare and Public Health