Cybersecurity services specialists report the discovery of two vulnerabilities in Windows CE-operated Alaris Gateway workstations that support infusion pumps; according to the reports, if these flaws are exploited they could allow a remote threat actor to disable one of these pumps, inject malware, modify the information or even alter the dose of medication that these devices must administer to a patient.
Alaris Gateway workstations are manufactured by
Becton, Dickinson and Company and are widely used in hospitals
in at least 30 countries in Asia and Europe, a company spokesman reports. These
workstations are used in various medical operations, such as fluid therapy,
blood transfusions, chemotherapy, dialysis, etc.
The vulnerabilities were detected by
cybersecurity services specialists at CyberMDX Research Center; the
manufacturer subsequently confirmed the existence of safety failures.
The first of these flaws, tracked as CVE-2019-10959,
exists in the workstation firmware and, if exploited, could allow a malicious
user to upload arbitrary files during the firmware update process. In the
report, cybersecurity experts say the hacker must first access the hospital
network to collect the information needed to exploit the vulnerability.
“If the hacker manages to explode the flaw, they could modify the scope of
the infusion pumps or modify the amount of medication supplied”, the
experts added.
The second vulnerability, tracked as CVE-2019-10962,
affects the workstation web management console; risk increases since
authentication credentials are not required to access this instance.
“Anyone who knows the IP address of a workstation could monitor the status
of an infusion pump or access the activity log and even restart the
device”.
According to researchers from the International
Institute of Cyber Security (IICS), the vulnerability affects workstations
operating with firmware versions 1.1.3 Build 10, 1.1.3 MR Build 11, 1.2 Build
15, 1.3.0 Build 14, and1.3.1 Build 13.
As a security measure, the company recommends
that system administrators upgrade their deployments to firmware versions 1.3.2
or 1.6.1, as well as blocking the SMB protocol to ensure that only authorized
personnel have access to the hospital network.
