BD Alaris 8015 PC Unit and BD Alaris Systems Manager

Monitor6.5ICS-CERT ICSMA-20-317-01Nov 12, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

BD Alaris PC Unit Model 8015 and Systems Manager contain an authentication interception vulnerability in wireless communications. An attacker on the network can redirect authentication requests to the Systems Manager using a custom authentication handler, causing the Alaris PC Unit to drop its wireless connectivity. While the device continues to operate on locally stored infusion parameters, network-dependent features fail: EMR Interoperability (pre-population of infusion parameters) and remote delivery of System Guardrails updates (DERS) become unavailable. The vulnerability requires network access and ability to intercept wireless traffic but does not require valid credentials.

What this means

What could happen

An attacker could intercept and redirect wireless authentication requests to disable network connectivity on the Alaris PC Unit, preventing remote software updates and EMR integration while the device continues to operate on local settings.

Who's at risk

Hospital and healthcare delivery organizations operating BD Alaris infusion pump PC Units (Model 8015) that rely on wireless connectivity and Systems Manager for remote software updates, clinical guardrails management (DERS), and EMR integration.

How it could be exploited

An attacker on the hospital network would intercept wireless authentication messages from the Alaris PC Unit to the Systems Manager, extract authentication credentials from the traffic, and use a custom authentication handler to complete a spoofed handshake that causes the device to lose wireless connectivity.

Prerequisites

Network access to the wireless segment where the Alaris PC Unit operates
Ability to intercept and redirect network traffic (man-in-the-middle position)
Custom code to parse and respond to authentication requests

remotely exploitableno authentication required for initial interceptionlow complexity attackno patch available for PC Unit Model 8015affects patient monitoring/infusion delivery systems

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Alaris PC Unit Model 8015:≤ 9.33.1No fix (EOL)

Alaris Systems Manager:≤ 4.3312.0.1, 12.0.2, 12.1.0, 12.1.2

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGDeploy access controls to restrict which devices and systems can communicate on the wireless network segment and limit traffic types between wireless and server segments

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Alaris Systems Manager to version 12.0.1, 12.0.2, 12.1.0, or 12.1.2

Mitigations - no patch available

0/1

Alaris PC Unit Model 8015: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate the wireless network segment from the Systems Manager server segment

CVEs (1)

CVE-2020-25165

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/930e1f28-9aff-4da3-8218-8b9c296a9f65