BD Alaris System with Guardrails Suite MX

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to compromise sensitive data, hijack a session, modify firmware, make changes to system configurations, among other system impacts.

CVEs (8)

Remediations

• BD has releaed BD Alaris System 12.3 with the following software:
• BD recommends customers update to the BD Alaris System 12.3, where available based on regulatory authorization. Customers who require software updates should contact their BD Account Executive to assist with scheduling the remediation.
• BD also updated the BD Alaris PCU Model 8015 to version 12.3.1 when the BD Alaris System 12.3 was released. The following CVEs are still present on the BD Alaris PCU Model 8015 version 12.3.1: CVE-2023-30559, CVE-2023-30560, and CVE-2023-30561. This bulletin will be updated with additional remediation information when available.
• For additional information, customers may request a copy of the latest BD Alaris System Product Security White Paper by visiting the BD Cybersecurity Trust Center.
• To reduce the risk associated with these vulnerabilities, BD recommends users implement the following mitigations and compensating controls:
• Provide appropriate network perimeter security, such as using firewalls, or create Access Control Lists (ACL) to limit network traffic from devices to only the required ports on the required endpoints.
• The PCU only requires access to DNS, dynamic host configuration protocol (DHCP) and SM on port 3613. The PCU does not accept unsolicited inbound traffic.
• BD recommends segmenting BD Alaris PCUs onto a separate virtual local area network (VLAN) to further enhance the security of BD Alaris PCUs.
• Users should control network access to the SM server image by restricting external access to only those addresses and ports indicated in Chapter 1 of the SM Virtual Machine Deployment Guide.
• Users should apply SSL certificates from valid Certificate Authorities, per Chapter 9 of the same document.
• Follow Chapter 1 of the Alaris System Maintenance Software User Manual to enable an authentication challenge password for network configuration changes.
• See the Network Settings section of the Alaris System Maintenance User Manual for details on how to manage these credentials.
• Network Settings in the Alaris System Maintenance User Manual details managing these credentials.
• Monitor network traffic for unusual or unexpected traffic and activity. If users suspect credentials have been exposed, change credentials immediately.
• Utilize MAC filtering on the network segment containing the BD Alaris System to restrict access to only those approved devices needed.
• Periodically inspect BD Alaris System components to ensure running the correct software versions.
• Use the instructions in Chapter 4 of the SM User Manual or Section 6.2.10 of the BD Alaris PCU and Pump Module Technical Service Manual to find software versions.
• Adhere to industry security best practices regarding access control, identification and authorization, personnel security, and physical protection of assets, as recommended by NIST SP 800-171 Rev. 2.
• Inspect the BD Alaris System prior to use for signs of tampering as indicated in the FIPS 140-2 Compliance Instructions for BD Alaris System Products Service Manual.
• For more information, refer to BD's security bulletin.
• BD Alaris Systems Manager Software version 12.5.1 - Remediates CVE-2018-1285, CVE-2023-30563, CVE-2023-30564, and CVE-2023-30565; partially remediates CVE-2023-30562
• Calculation Services, version 1.1.1 - Remediates CVE-2018-1285, CVE-2023-30563, CVE-2023-30564, and CVE-2023-30565; partially remediates CVE-2023-30562
• BD Alaris System 12.3, which includes BD Alaris Guardrails Editor version 12.1.3, partially remediates CVE-2023-30562 and reduces the CVSS score from 6.7 (Medium) to 3.0 (Low). Additional information is provided under Vulnerability Details. For additional information is please reference the updated CVSS vector string provided: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
• BD Alaris System 12.3 is no longer compatible with the CQI Reporter version 10.17 and earlier. Therefore CVE-2023-30565 no longer applies.

Affected Vendors

Affected Products (6)

Affected Sectors

Healthcare, Public Health