BD Alaris 8015 PC Unit (Update B)

Monitor6.8ICS-CERT ICSMA-17-017-02Jan 17, 2017

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Alaris 8015 PC unit contains hardcoded or easily accessible wireless network authentication credentials and sensitive technical data that can be extracted by an attacker with physical access to the device. This could allow unauthorized access to the host facility's wireless network. Successful exploitation could compromise the confidentiality, integrity, and availability of the device and connected systems. All affected Alaris System software versions less than 9.19 are end-of-life. BD has not developed a product fix and recommends users upgrade when the next software version is released upon 510(k) clearance. In the interim, BD recommends applying compensating controls via security bulletin.

What this means

What could happen

An attacker with physical access to the Alaris 8015 PC unit could extract wireless network credentials and other sensitive technical data, potentially compromising network access and device integrity.

Who's at risk

Hospital infusion therapy teams and clinical engineering staff should prioritize this. The Alaris 8015 PC unit is used to manage medication delivery and patient monitoring in hospital settings. Physical access risk is highest in clinical areas, storage rooms, and during device transport.

How it could be exploited

An attacker with physical access to the device can access stored wireless network authentication credentials and sensitive technical information from the Alaris 8015 PC unit. This does not require remote network access or valid user credentials.

Prerequisites

Physical access to the Alaris 8015 PC unit
No authentication required to access sensitive data on device

No authentication requiredNo patch available (end-of-life product)Physical access required but low complexity once access is gainedAffects medical device with potential patient safety impact

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

Alaris 8015 PC unit:9.7No fix (EOL)

Alaris 8015 PC unit:≤ 9.33No fix (EOL)

Alaris 8015 PC unit:≤ 9.5No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGImplement physical security controls to restrict access to Alaris 8015 PC units in clinical areas (e.g., locked storage, surveillance, restricted-access rooms)

WORKAROUNDReview and apply BD's compensating controls provided in the security bulletin for Alaris PC unit model 8015

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXPlan to upgrade Alaris System software to version 9.19 or later when BD releases the next software version following 510(k) clearance

CVEs (2)

CVE-2016-8375 CVE-2016-9355

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/39780527-8731-4387-a0e1-f845362d4cca