Home Hacking News Critical Vulnerability In Drug Infusion System Could Alter Drug Dosage
Hacking NewsLatest Cyber Security News | Network Security HackingNewsVulnerabilities

Critical Vulnerability In Drug Infusion System Could Alter Drug Dosage

by Abeerah Hashim
written by Abeerah Hashim
ownCloud vulnerabilities

Researchers have discovered two different vulnerabilities in the BD AlarisTM Gateway Workstation. Of these, a critical vulnerability in the firmware of the drug infusion system that could meddle with medical treatments. The bug could allow a remote attacker to take control of a system, and change drug dose in medical pumps. Whereas, the other, relatively less severe bug could also allow access to the device by an attacker.

Critical Vulnerability In Drug Infusion System Discovered

Researchers from CyberMDX have discovered a critical vulnerability in the AlarisTM Gateway Workstation. The vulnerability existed in the firmware of the drug infusion system that could meddle with drug dosage.

As stated in their vulnerability report,

The AlarisTM Gateway workstation supports a firmware upgrade that can be executed without any predicate authentication or permissions. Conducting a counterfeit version of this upgrade can allow bad actors a route to “authenticate” malicious content.

They further explained that anyone gaining access to the hospital’s network could exploit the bug. The remote attacker could then release a custom malicious update that overrides the system files, and take complete system control. The attacker could also alter the amount of drug dispensed by the medicine pumps.

After running code on the device one can directly interact with the pumps, and some of them support a remote control… Once running code on the machine, one can have access to all of its information, permanently disabling it, report false info and more.

The vulnerability CVE-2019-10959 attained a critical severity level with a CVSS score of 10.0.

Another Less Severe Vulnerability Also Found

Apart from the above-discussed vulnerability, the researchers also found another bug in the web management system of BD AlarisTM Gateway Workstation. In their vulnerability report, they explained that the vulnerability could allow an attacker to access the system without any authentication. As stated,

The web management system requires no credentials and does not allow for the incorporation of credentials. As a result, anyone knowing the IP address of a targeted workstation can: Monitor pump statuses, access event logs, and user guide; Change the gateway’s network configuration; Restart the gateway.

According to Bleeping Computer, the researchers have promptly reported the matter to Becton Dickinson. Following it, BD has recommended some mitigations, which the ICS-CERT also confirm in their advisory. Besides, BD also assured providing a patch for the bugs soon.

Take your time to comment on this news.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Palo Alto Networks Patched A Pan-OS Vulnerability Under...

Apple Removed Numerous Apps From China App Store

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...

LayerSlider WordPress Plugin Vulnerability Affected Thousands Of Websites