Researchers have discovered two different vulnerabilities in the BD AlarisTM Gateway Workstation. Of these, a critical vulnerability in the firmware of the drug infusion system that could meddle with medical treatments. The bug could allow a remote attacker to take control of a system, and change drug dose in medical pumps. Whereas, the other, relatively less severe bug could also allow access to the device by an attacker.
Critical Vulnerability In Drug Infusion System Discovered
Researchers from CyberMDX have discovered a critical vulnerability in the AlarisTM Gateway Workstation. The vulnerability existed in the firmware of the drug infusion system that could meddle with drug dosage.
As stated in their vulnerability report,
The AlarisTM Gateway workstation supports a firmware upgrade that can be executed without any predicate authentication or permissions. Conducting a counterfeit version of this upgrade can allow bad actors a route to “authenticate” malicious content.
They further explained that anyone gaining access to the hospital’s network could exploit the bug. The remote attacker could then release a custom malicious update that overrides the system files, and take complete system control. The attacker could also alter the amount of drug dispensed by the medicine pumps.
After running code on the device one can directly interact with the pumps, and some of them support a remote control… Once running code on the machine, one can have access to all of its information, permanently disabling it, report false info and more.
The vulnerability CVE-2019-10959 attained a critical severity level with a CVSS score of 10.0.
Another Less Severe Vulnerability Also Found
Apart from the above-discussed vulnerability, the researchers also found another bug in the web management system of BD AlarisTM Gateway Workstation. In their vulnerability report, they explained that the vulnerability could allow an attacker to access the system without any authentication. As stated,
The web management system requires no credentials and does not allow for the incorporation of credentials. As a result, anyone knowing the IP address of a targeted workstation can: Monitor pump statuses, access event logs, and user guide; Change the gateway’s network configuration; Restart the gateway.
According to Bleeping Computer, the researchers have promptly reported the matter to Becton Dickinson. Following it, BD has recommended some mitigations, which the ICS-CERT also confirm in their advisory. Besides, BD also assured providing a patch for the bugs soon.
Take your time to comment on this news.