BD Alaris Improper Authentication Vulnerability
A session authentication vulnerability in BD's Alaris infusion management system could lead to DoS attacks.
Summary
A session authentication vulnerability in BD's Alaris infusion management system could lead to DoS attacks.
Affected platforms
The following platforms are known to be affected:
BD Alaris PC Unit Versions: 9.33.1 and earlier (Model 8015 only)
BD Alaris Systems Manager Versions: 4.33 and earlier
Threat details
Introduction
BD (Becton, Dickinson and Company) has released details of a network session authentication vulnerability affecting a number of their Alaris infusion management products. They claim that a remote authenticated attacker could exploit this to cause a denial-of-service (DoS) condition the affected products.
Vulnerability
The vulnerability appears to be the result of a failure in the authentication process used to connect Alaris PC Units to the Alaris Systems Manager. Users are able to remotely modify the configuration headers of the authentication data during this process, which can result in the process failing.
If this occurs, the Alaris Systems Manager is unable to properly administer connect Alaris PC Units, which then require manual operation to provide patient services.
Remediation advice
BD has confirmed that most Alaris Systems Manager installations have been updated to an unaffected version (12.0.1, 12.0.2, 12.1.0, or 12.1.2), and that a forthcoming update will address this vulnerability on affected Alaris PC Units.
Affected organisations are encouraged to review BD's security bulletin and contact their relevant suppliers to ensure any relevant updates are applied as they become available
Definitive source of threat updates
Last edited: 17 November 2020 1:10 pm