Researchers from CyberMDX have uncovered critical vulnerabilities in Alaris Gateway Workstation (AGW) that could allow an attacker to take complete control of the medical devices connected to the workstation.
What is Alaris Gateway Workstation?
Alaris Gateway Workstation (AGW) is a product of a medical device company Becton Dickinson. This product is used to communicate with infusion pumps to power them during blood transfusions, anesthesia, and various therapy sessions like chemotherapy and dialysis.
The infusion pumps ensure that a patient receives the recommended amount of medication. Multiple such medical devices can be connected to a single AWG to deliver various medical drugs to a single individual.
The first vulnerability
The first critical vulnerability resides in the firmware code of AGW, allowing an attacker to remotely exploit it without any authentication. This vulnerability has been marked as a high severity issue with the CVSS score being 10.
“This exploit can be carried out by anyone who gains access to the hospital’s internal network. Files transferred via the update are copied straight to the internal memory and allowed to override existing files,” researchers said.
How to stay protected from the exploit?
Researchers notified the vulnerability to Becton Dickinson, who acknowledged the vulnerability and took the necessary steps to remediate the problem.
Meanwhile, researchers recommended the following actions to prevent the vulnerability from being exploited, which include
A spokesperson for Becton Dickinson told BleepingComputer that the affected product is not used or sold in the U.S.
“Because the vulnerability is limited to a single BD infusion system offering (the Alaris™ Gateway Workstation) that is not sold in the U.S., it is important to note this disclosure does not apply to the majority of BD infusion systems,” he told.
The second vulnerability
Becton Dickinson recommends using the latest firmware, Version 1.3.2 or 1.6.1 to fix the vulnerability.
Meanwhile, NCCIC recommends the following steps to minimize the risk of exploitation of these vulnerabilities.