OTPulse
FeedAboutContact

BD Alaris Plus

Act Now9.4ICS-CERT ICSMA-18-235-01Aug 23, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A remote attacker can gain unauthorized access to BD Alaris syringe pumps and alter their operation when connected to a terminal server via serial port. The vulnerability affects Alaris CC, TIVA, GH, and GS pump models at software versions 2.3.6 and earlier. The attacker cannot power the device on remotely or access patient data. BD has confirmed the vulnerability is mitigated if the pump is connected to an Alaris Gateway Workstation docking station.

What this means
What could happen
An attacker could gain unauthorized control of Alaris syringe pump operation when connected via serial port to a terminal server, potentially altering infusion rates or stopping medication delivery. The attacker cannot power the device on remotely or access patient data, but can disrupt active infusions if the pump is already running.
Who's at risk
Healthcare facilities using BD Alaris syringe pump systems (Alaris CC, TIVA, GH, GS models up to version 2.3.6), particularly in non-US locations where these devices are sold. Medical staff responsible for infusion pump operations and biomedical/clinical engineering teams managing pump infrastructure should prioritize this vulnerability.
How it could be exploited
An attacker with network access to a terminal server connected to an Alaris syringe pump via serial port can send unauthorized commands to the pump to change infusion parameters or stop the infusion. The exploit requires no authentication and works on any affected pump model not connected to an Alaris Gateway Workstation docking station.
Prerequisites
  • Network access to terminal server connected to affected Alaris pump via serial port
  • Pump must not be connected to an Alaris Gateway Workstation docking station
  • Pump must be powered on
remotely exploitableno authentication requiredlow complexityno patch availableaffects safety systems
Exploitability
Moderate exploit probability (EPSS 7.3%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
Alaris CC:≤ 2.3.6No fix (EOL)
Alaris TIVA:≤ 2.3.6No fix (EOL)
Alaris GH:≤ 2.3.6No fix (EOL)
Alaris GS:≤ 2.3.6No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/1
WORKAROUNDEnsure all Alaris syringe pumps are connected to an Alaris Gateway Workstation docking station, which prevents exploitation
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGIsolate terminal servers connected to Alaris pumps from untrusted networks using network segmentation and firewall rules
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: Alaris CC:, Alaris TIVA:, Alaris GH:, Alaris GS:. Apply the following compensating controls:
HARDENINGImplement network monitoring on serial connections to Alaris pumps to detect unauthorized commands
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/13dcba35-f18a-419a-ac72-26cc27a8aeae
BD Alaris Plus | CVSS 9.4 - OTPulse