Critical vulnerabilities in Alaris Gateway Workstation allow attackers to alter drug dose in infusion pumps
- The first critical vulnerability resides in the firmware code of AGW, allowing an attacker to remotely exploit it without any authentication.
- The second vulnerability resides in the web-based interface of AWG, allowing an attacker to access the device monitoring, event logs, and configuration of the device.
Researchers from CyberMDX have uncovered critical vulnerabilities in Alaris Gateway Workstation (AGW) that could allow an attacker to take complete control of the medical devices connected to the workstation.
What is Alaris Gateway Workstation?
Alaris Gateway Workstation (AGW) is a product of a medical device company Becton Dickinson. This product is used to communicate with infusion pumps to power them during blood transfusions, anesthesia, and various therapy sessions like chemotherapy and dialysis.
The infusion pumps ensure that a patient receives the recommended amount of medication. Multiple such medical devices can be connected to a single AWG to deliver various medical drugs to a single individual.
The first vulnerability
The first critical vulnerability resides in the firmware code of AGW, allowing an attacker to remotely exploit it without any authentication. This vulnerability has been marked as a high severity issue with the CVSS score being 10.
- This vulnerability (tracked as CVE-2019-10959) allows an attacker to remotely replace the firmware with a custom version.
- An attacker could also update and manipulate a CAB file, which stores files in an archived library and utilizes a proper format for Windows CE.
- This would allow the attacker to ultimately alter the dosage of the drug dispensed by the infusion pumps connected to an AWG.
“This exploit can be carried out by anyone who gains access to the hospital’s internal network. Files transferred via the update are copied straight to the internal memory and allowed to override existing files,” researchers said.
How to stay protected from the exploit?
Researchers notified the vulnerability to Becton Dickinson, who acknowledged the vulnerability and took the necessary steps to remediate the problem.
Meanwhile, researchers recommended the following actions to prevent the vulnerability from being exploited, which include
- Blocking the SMB protocol
- Segregating their VLAN network
- Researchers also recommend organizations to ensure that only appropriate associates have access to the customer network
A spokesperson for Becton Dickinson told BleepingComputer that the affected product is not used or sold in the U.S.
“Because the vulnerability is limited to a single BD infusion system offering (the Alaris™ Gateway Workstation) that is not sold in the U.S., it is important to note this disclosure does not apply to the majority of BD infusion systems,” he told.
The second vulnerability
- The second vulnerability tracked as CVE-2019-10962 resides in the web-based interface of AWG.
- This vulnerability which has a high-severity score of 7.3 allows an attacker to access the device monitoring, event logs, and configuration of the device.
- The vulnerability could be exploited by anyone who knows the IP address of the target AWG.
Becton Dickinson recommends using the latest firmware, Version 1.3.2 or 1.6.1 to fix the vulnerability.
Meanwhile, NCCIC recommends the following steps to minimize the risk of exploitation of these vulnerabilities.
- Minimizing network exposure for all medical devices and systems.
- Isolating the medical devices behind firewalls.
- Apply defense-in-depth strategies and disabling any unnecessary accounts, protocols, and services.