BD Alaris System with Guardrails Suite MX
Act Now8.2ICS-CERT ICSMA-23-194-01Jul 13, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
BD Alaris System contains multiple vulnerabilities in authentication, input validation, encryption, and external entity processing. These affect the Point-of-Care Unit (PCU), Guardrails Editor, Systems Manager, CQI Reporter, and Calculation Services components. Successful exploitation could allow attackers to compromise patient data, hijack sessions, modify firmware, alter system configurations, and impact drug delivery accuracy. The vulnerabilities stem from missing certificate validation, weak password handling, XML external entity (XXE) injection, cross-site scripting, and inadequate authentication controls.
What this means
What could happen
An attacker with network access to the BD Alaris System could compromise patient safety data, hijack clinician sessions, modify firmware, or alter drug delivery configurations on infusion pumps and point-of-care units. This could disrupt drug administration accuracy and patient monitoring.
Who's at risk
Healthcare facilities operating BD Alaris infusion pump systems with Guardrails Suite should care. This includes point-of-care units (PCU) in medication administration areas, systems managers, and central safety configuration tools. Affects all clinical environments using BD Alaris for controlled drug delivery.
How it could be exploited
An attacker on the network could exploit weak authentication, missing encryption, or input validation flaws to access the Guardrails Editor, Systems Manager, or PCU firmware management interfaces. Session hijacking or man-in-the-middle attacks could allow modification of drug formulas, dosage limits, or system configurations without detection.
Prerequisites
- Network access to BD Alaris System ports (port 3613 for Systems Manager, DNS/DHCP for PCU)
- User interaction required (UI involved in attack vector)
- No valid credentials strictly required for some vulnerabilities
Remotely exploitableUser interaction requiredNo authentication required for some attack vectorsHigh EPSS score (49%)No patch available for PCU Model 8015 (partial fixes only)Affects patient safety systems (infusion pump drug delivery)Weak encryption and authentication mechanismsDefault or weak credentials possible
Exploitability
High exploit probability (EPSS 49.0%)
Affected products (6)
3 with fix3 EOL
ProductAffected VersionsFix Status
BD Alaris Point-of-Care Unit (PCU) Model 8015: <=12.1.3≤ 12.1.312.3.1
BD Alaris Guardrails Editor: <=12.1.2≤ 12.1.2No fix (EOL)
Calculation Services: <=1.0≤ 1.01.1.1
BD Alaris Guardrails Editor: 12.1.312.1.3No fix (EOL)
CQI Reporter: <=10.17≤ 10.17No fix (EOL)
BD Alaris Systems Manager: <=12.3≤ 12.312.5.1
Remediation & Mitigation
0/11
Do now
0/2WORKAROUNDImplement network firewall or ACL rules to restrict BD Alaris traffic to only required ports and endpoints
WORKAROUNDMonitor network traffic for unusual activity and change credentials immediately if exposure suspected
Schedule — requires maintenance window
0/7Patching may require device reboot — plan for process interruption
BD Alaris Point-of-Care Unit (PCU) Model 8015: <=12.1.3
HOTFIXUpdate BD Alaris PCU Model 8015 to version 12.3.1 (partial mitigation; CVE-2023-30559, CVE-2023-30560, CVE-2023-30561 remain)
All products
HOTFIXUpdate BD Alaris Systems Manager to version 12.5.1 and Calculation Services to version 1.1.1
HARDENINGConfigure SSL certificates from valid Certificate Authorities on Systems Manager per deployment guide Chapter 9
HARDENINGEnable authentication challenge password for network configuration changes via Maintenance Software User Manual Chapter 1
HARDENINGRestrict external access to Systems Manager server to only required addresses and ports per deployment guide
WORKAROUNDVerify installed software versions on all BD Alaris components match approved versions per user manual
WORKAROUNDInspect BD Alaris System components for signs of tampering per FIPS 140-2 compliance manual
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: BD Alaris Guardrails Editor: <=12.1.2, BD Alaris Guardrails Editor: 12.1.3, CQI Reporter: <=10.17. Apply the following compensating controls:
HARDENINGSegment BD Alaris PCUs onto a dedicated VLAN separate from clinical networks
HARDENINGImplement MAC filtering on network segments containing BD Alaris components to restrict to approved devices only
CVEs (8)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a135b146-3ef7-4a85-8198-d25b4c347505