CVE-2018-14786
📋 TL;DR
This vulnerability allows remote attackers to bypass authentication on BD Alaris Plus medical syringe pumps when connected via serial port to terminal servers. Attackers can gain unauthorized access to control pump operations, potentially affecting medication delivery. Affected are BD Alaris GS, GH, CC, and TIVA syringe pump models running firmware versions 2.3.6 and earlier.
💻 Affected Systems
- BD Alaris GS
- BD Alaris GH
- BD Alaris CC
- BD Alaris TIVA
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains full control of medical syringe pump, potentially altering medication delivery rates or stopping critical infusions, leading to patient harm or death.
Likely Case
Unauthorized access to pump controls allowing manipulation of infusion parameters, potentially causing medication errors or treatment interruptions.
If Mitigated
With proper network segmentation and access controls, risk is limited to authorized personnel within controlled medical environments.
🎯 Exploit Status
Exploitation requires network access to terminal servers connected to vulnerable pumps; no authentication needed once access is gained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.3.7 or later
Restart Required: Yes
Instructions:
1. Contact BD technical support for firmware update 2.3.7 or later. 2. Schedule maintenance window for pump updates. 3. Follow BD's official firmware update procedure. 4. Verify successful update and functionality.
🔧 Temporary Workarounds
Network Segmentation
allIsolate syringe pumps and terminal servers on separate VLANs with strict access controls.
Physical Security Controls
allRestrict physical access to serial ports and terminal server connections.
🧯 If You Can't Patch
- Disconnect vulnerable pumps from terminal servers and network connections
- Implement strict network access controls and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check pump firmware version via device display or BD service software; versions 2.3.6 or earlier are vulnerable.Check Version:
Use BD service software or check device display for firmware version information.Verify Fix Applied:
Verify firmware version shows 2.3.7 or later; test authentication requirements for remote access.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to terminal servers
- Unexpected pump configuration changes
- Serial port connection anomalies
Network Indicators:
- Unusual traffic to terminal server ports
- Unauthorized serial-over-IP connections
SIEM Query:
source_ip NOT IN (authorized_ips) AND dest_port IN (terminal_server_ports)🔗 References
- http://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletin-for-various-alaris-plus-syringe-pumps-sold-and-in-use-outside-the-united-states
- http://www.securityfocus.com/bid/105147
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-235-01
- http://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletin-for-various-alaris-plus-syringe-pumps-sold-and-in-use-outside-the-united-states
- http://www.securityfocus.com/bid/105147
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-235-01
