CyberMDX discovered a previously undocumented vulnerability in the device, noting that the web management system doesn’t require credentials and doesn’t allow for password protection. As a result, anyone knowing the IP address of a targeted workstation can:
Monitor pump statuses, access event logs, and user guide
Change the gateway’s network configuration* (IP/subnet/WiFi/LAN)
Restart the gateway (after changing the configuration you are permitted to restart)
CyberMDX has tested and confirmed the presence of this vulnerability on version 1.0.13 of the device. BD (Becton, Dickinson and Company) conducted further testing and have themselves confirmed the presence of this vulnerability in device versions 1.1.3, 1.2, 1.3.0, and 1.3.1.
Pages under configuration include: Identification, Date & Time; changes to these values would affect timestamps of log entries and snapshots of Patient Data Management System, Alarm Settings, Wired Networking, Wireless Networking, Serial ports
The AGW is used for supplying power and network connection to multiple infusion and syringe pumps. The vulnerability described herein applies only to the following versions of the AGW Web Browser User Interface: 0.13; 1.3 Build 10; 1.3 MR Build 11; 1.5; 1.6
Attack vector: Network — this attack is over TCP. Complexity: Low — only requires to open the web management in a web browser. Privileges Required: None — the machine does not authenticate anything. User Interaction: None — this is done remotely with nothing needed on the user side. Scope: Unchanged. Confidentiality: Low Availability: Low — one can continuously reset the device and change its IP/subnet.
Mitigations and Recommendations
The following mitigations and compensatory controls are recommended in order to reduce risk associated with this vulnerability:
Customers should utilize the latest firmware version 1.3.2 or 1.6.1
Customers should ensure only appropriate associates have access to their network
Customers should isolate their network from untrusted systems
Elad Luz, Head of Research at CyberMDX, a Forescout Company
Get the capabilities you need to build a tailored security solution for your digital terrain and continuously automate actions to reduce cyber risk.