Threat Intelligence: BD Alaris Network Sessions Vulnerability

Vulnerability with a CVSS score of 6.5 affects the BD Alaris 8015 PC Unit and BD Alaris Systems Manager
Cynerio
News
Nov 12, 2020

Advisory Information

On Thursday, November 12, 2020, BD voluntarily alerted the US Department of Homeland Security and the FDA of a network session vulnerability with a CVSS score of 6.5 affecting specific versions of two BD Alaris products. The vulnerability has been assigned CVE number CVE-2020-25165.

Devices Affected

  • BD Alaris™ PC Unit, Model 8015, versions 9.33.1 and earlier
  • BD Alaris™ Systems Manager, versions 4.33 and earlier

Note: This vulnerability is unrelated to the BD Alaris recall issued in February 2020. 

How Does This Vulnerability Affect BD Alaris Products?

This is a network session vulnerability that has the potential to disrupt the authentication process between the BD Alaris PC Unit and Systems Manager products. If a threat actor successfully exploits the vulnerability, they can establish an unauthorized, direct communications session between the two products.

Additionally, threat actors can use unauthorized access to execute a denial of service attack on the PC Unit, resulting in the loss of the product’s wireless capability. With the loss of wireless capabilities, the device must be operated manually and will lose its interoperability with EMR. The loss of wireless will also render the device unable to receive crucial updates from Alaris System Guardrails (DERS), effectively harming clinical workflow and jeopardizing patient treatment. 

To date, the vulnerability is not known to have been exploited in the wild.

What Can Be Done to Mitigate the Threat & How Can Cynerio Help?

BD is currently working on releasing server upgrades to mitigate the threat posed by this vulnerability. In the meantime, Cynerio can:

  1. Identify and flag every affected device within your network
  2. Identify attempted exploits of the vulnerability and send real-time alerts to relevant team members
  3. Flag any redundant services, protocols, and accounts associated with the vulnerable devices
  4. Automatically configure firewall, NAC, and ACL policies tailored to the network that can be applied using your existing security infrastructure
  5. Notify team members when updated information on remediating this vulnerability is released by BD

Some other helpful resources

BD Product Security Bulletin 

ICS Medical Advisory (ICSMA-20-317-01)


Keep your finger on the pulse of Healthcare IoT security