It is a known fact that vulnerabilities in medical devices can endanger the physical security of patients.
Security researchers have discovered two new such vulnerabilities, one of which is critical and could allow full control of the medical device. The flaws reside in Alaris Gateway Workstations by Becton Dickinson, which are utilized to deliver fluid medication.
One of the vulnerabilities (identified as CVE-2019-10959) is located in device’s firmware code, and is assigned the highest severity score of 10. The bug can be leveraged by an attacker to obtain full control of the device. The other flaw (CVE-2019-10962) is not as severe but is still dangerous as it affects the workstation’s web-based management interface.
Both vulnerabilities affect certain versions of the Becton Dickinson’s Alaris Gateway Workstation (AGW), which provides power and network connectivity to infusion and syringe pumps. It is important to note that AGW is not available in the U.S., but it used across Europe and Asia.
More about CVE-2019-10959 and CVE-2019-10962
The critical CVE-2019-10959 vulnerability affects 1.1.3 Build 10, 1.1.3 MR Build 11, 1.2 Build 15, 1.3.0 Build 14, and 1.3.1 Build 13. CVE-2019-10962 endangers the following versions: 1.0.13, 1.1.3 Build 10, 1.1.3 MR Build 11, 1.1.5, and 1.1.6. Furthermore, several other Alaris devices are also impacted – GS, GH, CC and TIVA all of which are running software version 2.3.6, released in 2006.
A successful exploit of the critical CVE-2019-10959 could allow an attacker to remotely install malicious firmware, which could then disable the workstation or tamper with its function. However, to carry out the exploit, the attacker would also need to obtain access to the hospital network. This task may not be that challenging at all, considering the level of security in healthcare organizations.
The next step would require the attacker to craft a Windows Cabinet file known as CAB. The file is an archive format for storing data related to Microsoft Windows drivers and system files. In the case of the attack, the threat actor would booby-trap the file with malicious executables.
The most dangerous part of the CVE-2019-10959 attack would enable the attacker to update the AGW’s firmware over the network without any special privileges or authentication.
Eventually, the attacker would be able to tamper with the dosage of the drug dispensed by specific models of infusion pumps connected to an AGW device.
As for CVE-2019-10962, the less serious flaw, it could allow an attacker with knowledge of the IP address of the device to access important information via its browser interface, such as monitoring data, event logs, user guides and configuration settings
The vulnerabilities were discovered by CyberMDX. The researchers contacted Becton Dickinson privately, and the company confirmed the issues. The two companies collaborated in finding a solution to the bugs.