Vulnerability Found in BD Alaris Infusion Products

The BD Alaris PC Unit identified a medium severity vulnerability that could be exploited to bring about a denial of service attack and a drop in wireless capacity.

Medigate discovered the vulnerability and reported it to BD. Afterward, BD reported the vulnerability in compliance with its disclosure policy and has presented mitigations and regulatory adjustments to assist users in handling the risks connected with the vulnerability until BD releases an up-to-date version of BD Alaris PC Unit software.

The vulnerability impacts the BD products listed below:

  • BD Alaris Systems Manager, Versions 4.33 and prior versions
  • BD Alaris PC Unit, Model 8015, Versions 9.33.1 and prior versions

The problem is caused by inappropriate device authentication of vulnerable models of the BD Alaris Systems Manager and the BD Alaris PC Unit. Although it’s possible to exploit the vulnerability remotely, access to the network of the vulnerable device is necessary for the attack to occur, which controls the possibility of exploitation. The assigned CVSS score of the vulnerability is 6.5 out of 10.

The moment an attacker gets network access, the BD Alaris PC Unit’s authentication requests could be redirected utilizing custom code and carry out an authentication handshake depending on data taken from the authentication requests.

This sort of attack won’t stop the function of the Alaris PC Unit as programmed; nonetheless, network services won’t be available to allow the Alaris PC Unit to be pre-populated with infusion parameters by means of EMR Interoperability or doing wireless Alaris System Guardrails (DERS) updates. Also, an attacker won’t be able to obtain the required permissions to remotely program codes, and could not access the encrypted protected health information (PHI). In case an attack succeeds, the BD Alaris PC operator needs to perform the following tasks manually: program the pump, acquire data records, or initialize a new data set.

BD already carried out server upgrades to fix the vulnerability in a lot of Systems Manager installations. That resolved the vulnerability in BD Alaris Systems Manager versions 12.0.1, 12.0.2, 12.1.0, and 12.1.2. For the BD Alaris PC Unit software, an upcoming version will be released to resolve the vulnerability.

Software users can minimize the possibilities for exploitation by activating the firewall on the Systems Manager server image. Having guidelines limiting inbound and outbound ports services constraints can also help.

When a firewall is incorporated between the server network and wireless network segments, there will be an access control list (ACL) that limits wireless network segment access using the specific MAC address of the wireless card on the pump. Doing so would only allow authorized devices to access the wireless segment. Other devices won’t be able to link to and authenticate the segment. BD explained in its security bulletin.

Given that BD Alaris Systems Manager is a crucial service, it must essentially operate on a protected network behind a firewall. If there are unnecessary accounts, practices and services, these must be inactivated.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at