Headline
CVE-2023-30559: BD Alaris™ System with Guardrails™ Suite MX
The firmware update package for the wireless card is not properly signed and can be modified.
- Cybersecurity at BD
- Bulletin
- BD Alaris™ System with Guardrails™ Suite MX
BD communicates with our customers about cybersecurity vulnerabilities to help healthcare providers manage potential risks through awareness and guidance.
This notification provides product security information and recommendations related to security vulnerabilities found within the BD Alaris™ System with Guardrails™ Suite MX, versions 12.1.3 and earlier.
As a routine practice, BD has voluntarily shared these vulnerabilities with the U.S. Food and Drug Administration (FDA), the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates. Read Coordinated Vulnerability Disclosure to learn more about our disclosure process.
The eight security vulnerabilities below are present on the BD Alaris™ System v12.1.3 and earlier versions. All the vulnerabilities in this bulletin were discovered through routine internal security testing, which is part of our software development life cycle. There have been no reports of these vulnerabilities being exploited.
BD has performed risk assessments on each vulnerability in accordance with AAMI-TIR57 and ISO 14971 where potential safety impact was possible. For all eight vulnerabilities, it has been determined that the product’s existing control measures effectively reduce the probability of harm, and the residual risk is considered acceptable. Remediation and deployment planning for these vulnerabilities is currently in progress. This disclosure will be updated when more information is available.
For additional information, customers may request a copy of the latest BD Alaris™ System Product Security White Paper by visiting the BD Cybersecurity Trust Center.
BD Alaris™ PCU Model 8015, versions 12.1.3 and earlier
1. CVE-2023-30559 - Wireless Card Firmware Improperly Signed (Medium)
2. CVE-2023-30560 - PCU Configuration Lacks Authentication (Medium)
3. CVE-2023-30561 - Lack of Cryptographic Security of IUI Bus (Medium)
BD Alaris™ Guardrails™ Editor, versions 12.1.2 and earlier
4. CVE-2023-30562 - Lack of Dataset Integrity Checking (Medium)
BD Alaris™ Systems Manager, versions 12.3 and earlier
5. CVE-2023-30563 - Stored Cross-Site-Scripting (XSS) on User Import Functionality (High)
6. CVE-2023-30564 - Stored Cross-Site-Scripting (XSS) on Device Import Functionality (Medium)
CQI Reporter, version 10.17 and earlier (only applicable to customers using CQI Reporter)
7. CVE-2023-30565 - CQI Data Sniffing (Low)
Calculation Services, versions 1.0 and earlier (only applicable to customers currently using Interoperability features)
8. CVE-2018-1285 - Apache Log4Net Calculation Services (Low)
BD is authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA) by the CVE® Program. As a CNA, BD is authorized to assign CVE identification numbers to newly discovered vulnerabilities in its software-enabled products, which includes using the Common Weakness Enumeration (CWE™) system to classify vulnerability types and applying the Common Vulnerability Scoring System (CVSS) to communicate vulnerability characteristics and severity. BD assigned the below CVSS scores to these vulnerabilities.
1. CVE-2023-30559 - Wireless Card Firmware Improperly Signed
Vulnerability Description: The firmware update package for the wireless card is not properly signed and can be modified.
CVSS 5.2 (Medium) CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Rationale: Physical access to the BD Alaris™ PCU is required to exploit this vulnerability. The attack complexity is low because no special privileges are required, and user interaction is not required. If exploited, the threat actor would not be able to gain access to other components of the system. There is low impact to the confidentiality and the integrity of the system. However, there is a high impact to the availability of the system.
2. CVE-2023-30560 - PCU Configuration Lacks Authentication
Vulnerability Description: The configuration from the PCU can be modified without authentication using physical connection to the PCU.
CVSS 6.8 (Medium) CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Rationale: Physical access to the BD Alaris™ PCU is required to exploit this vulnerability. The attack complexity is low because no specialized access conditions or extenuating circumstances are required. Additionally, no special privileges are required, and user interaction is not required. If exploited, the threat actor would not be able to gain access to other components of the system. There is a high impact to confidentiality, integrity and availability.
3. CVE-2023-30561 - Lack of Cryptographic Security of IUI Bus
Vulnerability Description: The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.
CVSS 6.1 (Medium) CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Rationale: A threat actor would require physical access to the BD Alaris™ PCU via a specially configured device for protocol exploration and exploitation. While the complexity of this exploit is low, significant technical experience is required. No specialized privileges or user interaction is required. If exploited, the threat actor would not be able to gain access to other components of the system. There is a high impact to confidentiality and integrity. However, there is no impact to the availability of the system.
4. CVE-2023-30562 - Lack of Dataset Integrity Checking
Vulnerability Description: A GRE dataset file within Systems Manager can be tampered with and distributed to PCUs.
CVSS 6.7 (Medium) CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
Rationale: A threat actor would require access to an adjacent network to exploit this vulnerability. The attack complexity is low because the attacker only needs to modify certain fields within the system. To modify the file, the threat actor would need to have generalized permissions. System Manager user interaction is required. If exploited, the threat actor would not be able to gain access to other components of the system. There is no impact to the confidentiality of the system. This exploit would impact the integrity of GRE dataset file directly as it would be subject to out-of-band modification. Additionally, any such modification would have the potential of disabling the effective use of downstream PCUs, impacting the overall availability of the system.
5. CVE-2023-30563 - Stored Cross-Site Scripting on User Import Functionality
Vulnerability Description: A malicious file could be uploaded into a System Manager User Import Function resulting in a hijacked session.
CVSS 8.2 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Rationale: A threat actor requires network access to the Systems Manager (SM) application. If no privileges are required on the computer running SM, the complexity of exploiting this vulnerability is low. Systems Manager user interaction is required. If this vulnerability were to be successfully exploited, it could impact other systems containing sensitive information. There is no impact to availability, a low impact to integrity of the SM application and a high impact to confidentiality.
6. CVE-2023-30564 - Stored Cross-Site Scripting on Device Import Functionality
Vulnerability Description: Alaris Systems Manager does not perform input validation during the Device Import Function.
CVSS 6.9 (Medium) CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Rationale: The threat actor would need to be on an adjacent network to successfully exploit this vulnerability. If there is no requirement for an attacker to be authenticated to the host machine, the attack complexity is low. Any Systems Manager user is required to load a malicious payload. This vulnerability could cause impacts beyond the Systems Manager to other components. There is no impact to availability. However, there is low impact to integrity and high impact to confidentiality.
7. CVE-2023-30565 - CQI Data Sniffing
Vulnerability Description: An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker.
CVSS Score: 3.5 (Low) CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Rationale: A threat actor would require access to an adjacent network to exploit this vulnerability. The attack complexity is low and there are no specialized privileges or user interaction required. If exploited, the threat actor would not be able to gain access to other components of the system. There is a low impact to confidentiality due to data flow access, there are no impacts to integrity or availability.
8. CVE-2018-1285 - Apache Log4Net Calculation Services
Vulnerability Description: A lack of input validation within Apache Log4Net (due to an outdated software version) could allow a threat actor to execute malicious commands.
CVSS Score: 3.0 (Low) CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
Rationale: A threat actor would require local access to Systems Manager. An attacker would be required to have elevated privileges after accessing the target system and modify a vulnerable instance of the Log4Net configuration file. User interaction is not required and, if exploited, the threat actor could not make changes to other components of the system. While there is no impact to confidentiality of the application, there is a low impact to both integrity and availability.
BD has assessed the clinical risk and patient safety impact of these vulnerabilities. The following two vulnerabilities have no clinical impact or safety concern at this time:
CQI Reporter, version 10.17 and earlier (only applicable to customers using CQI Reporter)
- CQI Data Sniffing (CVE-2023-30565)
- Viewing CQI data has no impact to the function of the BD Alaris™ System.
BD Alaris™ PCU Model 8015, versions 12.1.3 and earlier
- Lack of Cryptographic Security of IUI Bus (CVE-2023-30561)
- For this vulnerability the likelihood of applying a manned, specially crafted device undetected at the bedside has been determined to be reasonably unforeseeable.
The remaining vulnerabilities have the possibility to impact patient safety. However, the potential for harm can only occur if the vulnerability is exploited; there have been no reports of exploitation in any customer environment or clinical setting.
BD Alaris™ Point-of-Care Unit (PCU) Model 8015, versions 12.1.3 and earlier
- PCU Configuration Lacks Authentication (CVE-2023-30560)
- The BD Alaris™ PCU has one vulnerability that impacts a single PCU and requires physical access to exploit. If exploited, physical access will allow unauthorized tampering and modification of configurations, which may result in a partial or total loss of integrity. Modifications to firmware, datasets, network credentials and log files are possible, which may impact functionality of the Alaris System and require the PCU to be replaced. The system is designed with features to detect integrity failures. Additionally, users must confirm all datasets prior to activation, as stated in the BD Alaris™ User Manual. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.
BD Alaris™ Guardrails™ Editor, versions 12.1.2 and earlier
- Lack of Dataset Integrity Checking (CVE-2023-30562)
- Guardrails™ Editor has one vulnerability. If exploited, an attacker can pivot from Systems Manager to Guardrails Editor to misconfigure the dataset. This may result in the inadvertent activation of an undesired dataset on the PCU. However, the system is designed with features to detect integrity failures. Additionally, users must confirm all datasets prior to activation, as stated in the BD Alaris™ User Manual. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.
BD Alaris™ Systems Manager, versions 12.3 and earlier
- Stored Cross-Site-Scripting (XSS) on User Import Functionality (CVE-2023-30563) and Stored Cross-Site-Scripting (XSS) on Device Import Functionality (CVE-2023-30564)
- BD Alaris™ Systems Manager has two vulnerabilities. If either is exploited, limited administrative services, such as importing new datasets, would lead to a minor delay in therapy until restored; however, the PCU will continue to operate as intended with the existing dataset. The system is designed to limit access to the server to authorized personnel through role-based privileges and access control. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.
BD Alaris™ EMR Interoperability
- Wireless Card Firmware Improperly Signed (CVE-2023-30559) and Apache Log4Net Calculation Services (CVE-2018-1285)
- There are two vulnerabilities that affect customers using BD Alaris™ EMR Interoperability. If exploited, a loss of application or network connectivity could lead to a delay in therapy. The system is designed to allow a clinician to program the infusion manually (standard non-interop programming workflow). The clinician can immediately program the infusion manually after the failure of an Automated Programming Request(APR). Moreover, the system is designed to limit access to the server to authorized personnel through role-based privileges and access control. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.
To further reduce the risk associated with these vulnerabilities, BD recommends customers implement the following mitigations and compensating controls:
Network Security
- Provide appropriate network perimeter security, such as firewalls, or create Access Control Lists (ACL) to limit network traffic from devices to only the required ports on the required endpoints. The PCU only requires access to DNS, DHCP and Systems Manager on port 3613. The PCU does not accept any unsolicited inbound traffic. Segmenting BD Alaris™ PCUs onto their own VLAN to further enhance the security of BD Alaris™ PCUs is highly recommended.
- Customers should control network access to the Systems Manager server image by restricting external access to only those addresses and ports indicated in Chapter 1 of the Systems Manager Virtual Machine Deployment Guide. Customers should apply SSL certificates from valid Certificate Authorities, per Chapter 9 of the same document.
- Enable authentication challenge password for network configuration changes, per Chapter 1 of the Alaris System Maintenance Software User Manual.
- Rotate Wi-Fi network credentials in alignment with customer security policies and NIST SP 800-63, “Digital Identity Guidelines.” See Network Settings within the Alaris System Maintenance User Manual for instructions on how to manage these credentials. Monitor network traffic for unusual or unexpected traffic and activity. In the event the credentials are suspected of being exposed, change the credentials immediately.
- Utilize MAC filtering to restrict access to only those approved/whitelisted devices necessary to operate on the network segment containing the BD Alaris™ System.
Software Security
- Periodically inspect BD Alaris™ System components to ensure they are running the correct version of software. Software versions can be found using the instructions in Chapter 4 of the Systems Manager User Manual or Section 6.2.10 of the BD Alaris™ PCU and Pump Module Technical Service Manual.
System Security
Adhere to industry security best practices regarding access control, identification and authorization, personnel security, and physical protection of assets, as recommended by NIST SP 800-171 Rev. 2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”.
Inspect the BD Alaris™ System prior to use for signs of tampering as indicated in the FIPS 140-2 Compliance Instructions for BD Alaris™ System Products Service Manual.
NIST SP 800-171 Rev. 2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” is available at: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
NIST SP 800-63, “Digital Identity Guidelines,” is available at: https://pages.nist.gov/800-63-3/
For product or site-specific concerns, contact your BD customer support representative.
Related news
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Insufficient sanitization of inputs in QoE application input field could lead to stored and Dom based XSS attack. This issue is fixed and released in SolarWinds Platform (2022.3.0).
Foxit PDF Editor v11.3.1 was discovered to contain an arbitrary file upload vulnerability.
Foxit PDF Reader and PDF Editor before 11.2.2 have a Type Confusion issue that causes a crash because of Unsigned32 mishandling during JavaScript execution.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CV...
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.