BD Alaris Gateway Workstation Web Management Vulnerability
Vedere Labs Team (formerly CyberMDX) Discovers Web Management Vulnerability in BD Alaris Gateway Workstation (A.K.A. AGW)
ICS-CERT Advisory (ICSMA-19-164-01)
Risk: High. A CVSS v3 grade of 7.3 has been calculated. The CVSS vector string is CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Date Reported by Vedere Labs: October 28, 2018
ICS-CERT Advisory date: June 13, 2019
Summary and Vulnerability Details
CyberMDX discovered a previously undocumented vulnerability in the device, noting that the web management system doesn’t require credentials and doesn’t allow for password protection. As a result, anyone knowing the IP address of a targeted workstation can:
- Monitor pump statuses, access event logs, and user guide
- Change the gateway’s network configuration* (IP/subnet/WiFi/LAN)
- Restart the gateway (after changing the configuration you are permitted to restart)
CyberMDX has tested and confirmed the presence of this vulnerability on version 1.0.13 of the device. BD (Becton, Dickinson and Company) conducted further testing and have themselves confirmed the presence of this vulnerability in device versions 1.1.3, 1.2, 1.3.0, and 1.3.1.
Pages under configuration include: Identification, Date & Time; changes to these values would affect timestamps of log entries and snapshots of Patient Data Management System, Alarm Settings, Wired Networking, Wireless Networking, Serial ports
Product background
The AGW is used for supplying power and network connection to multiple infusion and syringe pumps. The vulnerability described herein applies only to the following versions of the AGW Web Browser User Interface: 0.13; 1.3 Build 10; 1.3 MR Build 11; 1.5; 1.6
Attack characteristics
Per the CVSS 3.0 vulnerability scoring rubric, the follow characteristic apply:
Attack vector: Network — this attack is over TCP.
Complexity: Low — only requires to open the web management in a web browser.
Privileges Required: None — the machine does not authenticate anything.
User Interaction: None — this is done remotely with nothing needed on the user side.
Scope: Unchanged.
Confidentiality: Low
Availability: Low — one can continuously reset the device and change its IP/subnet.
Mitigations and Recommendations
The following mitigations and compensatory controls are recommended in order to reduce risk associated with this vulnerability:
- Customers should utilize the latest firmware version 1.3.2 or 1.6.1
- Customers should ensure only appropriate associates have access to their network
- Customers should isolate their network from untrusted systems
Credit
Elad Luz, Head of Research at CyberMDX, a Forescout Company
Forescout Products
Get the capabilities you need to build a tailored security solution for your digital terrain
and continuously automate actions to reduce cyber risk.