ICSMA-17-017-01_BD Alaris 8000 Insufficiently Protected Credentials Vulnerability

Monitor4.9ICS-CERT ICSMA-17-017-01Jan 17, 2017

Attack VectorPhysical

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

BD Alaris 8000 PC unit stores credentials in an insufficiently protected manner. An attacker with physical access to the device could extract these credentials and potentially use them to gain unauthorized access to other networked systems or to manipulate infusion parameters, alarm settings, or clinical workflows. The vulnerability is classified as CWE-522 (Insufficiently Protected Credentials).

What this means

What could happen

An attacker with physical access to the Alaris 8000 PC unit could extract stored credentials and use them to gain unauthorized access to other networked systems or clinical functions. This could allow them to alter medication infusion parameters, bypass safety interlocks, or disrupt patient care delivery.

Who's at risk

Healthcare facilities operating BD Alaris 8000 infusion pump systems should care about this vulnerability. Alaris 8000 devices are used to deliver IV medications and fluids in hospital wards, ICUs, emergency departments, and ambulatory care settings. Any compromise of Alaris credentials could affect patient safety and clinical operations across the entire networked infrastructure.

How it could be exploited

An attacker must physically access the Alaris 8000 PC unit. They can then extract insufficiently protected credentials from the device's local storage using off-the-shelf tools or direct hardware access. Once extracted, these credentials can be reused to authenticate to other systems on the healthcare network that trust the Alaris device's identity.

Prerequisites

Physical access to the Alaris 8000 PC unit
Ability to extract local storage or memory from the device
Credentials stored on device must be in use on other networked systems

No patch availablePhysical access required but practical in healthcare facilityCredentials stored insecurelyAffects life-critical medical device

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Alaris 8000 PC unit: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict physical access to Alaris 8000 PC units to authorized clinical and IT personnel only; use locked cabinets or secure storage areas

HARDENINGImplement device tamper detection or monitoring to alert staff if the Alaris unit is opened or accessed

HARDENINGAudit and rotate all credentials that may be stored on or used by Alaris 8000 devices; establish a credential rotation schedule independent of device access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGSegment the Alaris infusion pump network from other clinical and administrative systems using firewalls or network switches to limit lateral movement if credentials are compromised

Mitigations - no patch available

0/1

Alaris 8000 PC unit: all versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor network traffic from Alaris devices for unusual authentication attempts or lateral movement to other systems

CVEs (1)

CVE-2016-8375

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a50f1bcb-9033-4716-8cdb-e83a66ed93fa