BD BodyGuard Pumps Vulnerability

CISA Advisory includes a missing protection mechanism for alternate hardware interface vulnerability that could allow an attacker to change configuration settings or disable the pump

Threat ID:: CC-4221
Threat Severity:: Low
Threat Vector:: Vulnerability
Published:: 2 December 2022 11:16 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CISA Advisory includes a missing protection mechanism for alternate hardware interface vulnerability that could allow an attacker to change configuration settings or disable the pump

Affected platforms

The following platforms are known to be affected:

BD BodyGuard Pumps

BD BodyGuard
CME BodyGuard 323 (2nd Edition)
CME BodyGuard 323 Color Vision (2nd Edition)
CME BodyGuard 323 Color Vision (3rd Edition)
CME BodyGuard Twins (2nd Edition)

Threat details

Introduction

The US government agency Cybersecurity and Infrastructure Security Agency (CISA) have released a medical advisory for a vulnerability affecting BD BodyGuard products. The advisory states that successful exploitation of this vulnerability could allow an attacker to change configuration settings or disable the pump. Attackers must have physical access to carry out these attacks.

Vulnerabilities

CVE-2022-43557 - CWE-1299 - MISSING PROTECTION MECHANISM FOR ALTERNATE HARDWARE INTERFACE

The affected BD BodyGuard infusion pumps allow for access through the RS-232 (serial) port interface. If exploited, an attacker with physical access and specialised equipment and knowledge could configure or disable the pump. No electronic protected health information (ePHI), protected health information (PHI), or personally identifiable information (PII) is stored in the pump. A CVSS v3 base score of 5.3 has been calculated.

Remediation advice

Affected organisations should review CISA Medical Advisory ICSMA-22-335-01 and apply any relevant mitigations.

CISA recommends the following mitigations:

Ensure physical access controls are in place to ensure only authorized users have access to the affected product.
Ensure only BD-approved equipment is connected to the RS-232 interface of the affected pumps.
When the affected pumps are delivering infusions, ensure no equipment is connected to the RS-232 interface.
Protect connected computer systems with BodyComm software with standard security measures.

Definitive source of threat updates

https://www.cisa.gov/uscert/ics/advisories/icsma-22-335-01

CVE Vulnerabilities

Status Reserved

CVE-2022-43557

Last edited: 2 December 2022 12:28 pm