BD Alaris PCU (Update A)

Act Now5.3ICS-CERT ICSMA-20-170-06Jun 18, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial of service vulnerability in BD Alaris PCU versions 9.13, 9.19, 9.33, and 12.1 allows an attacker on the wireless network to cause the device to disconnect from the facility's network infrastructure. Successful exploitation results in loss of communication between the Alaris PCU and the Alaris Systems Manager, disrupting infusion pump operations.

What this means

What could happen

An attacker could cause the BD Alaris PCU to disconnect from the wireless network, disrupting infusion pump connectivity and forcing manual intervention to restore patient medication delivery systems.

Who's at risk

Hospitals and healthcare facilities using BD Alaris infusion pump systems are affected. This impacts medical device teams, biomedical engineering, and clinical engineering staff responsible for infusion delivery networks and wireless medical device connectivity.

How it could be exploited

An attacker with network access to the wireless network segment can send malformed packets or perform a denial of service attack against the Alaris PCU's wireless connectivity, causing it to drop from the network and stop communicating with the Alaris Systems Manager.

Prerequisites

Network access to the wireless network segment where the Alaris PCU is connected
No authentication required to initiate the denial of service attack

Remotely exploitableNo authentication requiredLow attack complexityHigh EPSS score (13.6%)No patch availableAffects safety-critical medical devices

Exploitability

High exploit probability (EPSS 13.6%)

Affected products (1)

ProductAffected VersionsFix Status

Alaris PC Unit:9.13 | 9.19 | 9.33 | 12.1No fix (EOL)

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGUpgrade wireless authentication to enterprise WPA2 protocols for stronger network controls that are harder for attackers to spoof or replicate

HARDENINGDeploy Intrusion Detection System (IDS) monitoring on wireless networks to detect malicious activity targeting Alaris devices

HARDENINGPlace BD Alaris Systems Manager behind a firewall on a secure, isolated network segment separate from the Alaris PCU

Mitigations - no patch available

0/1

Alaris PC Unit: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGEnsure BD Alaris Systems Manager is patched regularly and has malware protection enabled

CVEs (1)

CVE-2019-11479

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cf4936b6-0f4d-4da8-a404-29c1b61474cd