Healthcare

Medical Infusion Pumps Vulnerable to Remote Attacks

11 - 18 June 2019

Alaris Gateway Workstation, a control system for infusion pumps manufactured by Becton Dickinson (BD), contains two vulnerabilities
Cyber_News_Healthcare

Alaris Gateway Workstation, a control system for infusion pumps manufactured by Becton Dickinson (BD), contains two vulnerabilities that allow hackers to remotely tamper with the pump’s functions. CVE-2019-10959 is a critical flaw with a CVSSv3 base score of 10, the highest possible severity rating for a vulnerability. An attacker can remotely install unauthorised firmware in the Alaris Gateway and adjust specific commands on the infusion pump to directly impact the patient’s health. The second vulnerability, CVE-2019-10962, affects the Web Browser User Interface where a lack of authentication can provide access to the Alaris Gateway’s status and configuration information. Medical institutions using the affected products are encouraged to apply the latest software patch even though both vulnerabilities are not observed to be exploited in the wild.

 

References:

Advisory (ICSMA-19-164-01): BD Alaris Gateway Workstation

Alaris™ Gateway Workstation Unauthorized Firmware

Alaris™ Gateway Workstation Web Browser User Interface Lack of Authentication

More Weekly Cyber Newsanalysis and insights

Ensign Consulting

Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.​

Ensign Systems Integration

Architecting and implementing cybersecurity solutions that bolster defences

Ensign Managed Security Services

Managing your security operations for advanced threat detection, continuous monitoring, and triage services

Ensign Labs

Performing deep research to analyse vulnerabilities, deploy advanced threat hunting and provide cyber threat intelligence