CVE-2019-10959 – This vulnerability allows attackers to upload m... (How to Fix)

Q: What is the severity of CVE-2019-10959?

CVE-2019-10959 has a CVSS score of 10.0 (CRITICAL). This vulnerability allows attackers to upload malicious firmware files to BD Alaris medical devices during firmware updates, potentially gaining unauthorized control. It affects multiple BD Alaris Gateway Workstation models and related products running vulnerable firmware versions. This could compromise medical device functionality and patient safety.

📋 TL;DR

This vulnerability allows attackers to upload malicious firmware files to BD Alaris medical devices during firmware updates, potentially gaining unauthorized control. It affects multiple BD Alaris Gateway Workstation models and related products running vulnerable firmware versions. This could compromise medical device functionality and patient safety.

💻 Affected Systems

Products:

BD Alaris Gateway Workstation
Alaris GS
Alaris GH
Alaris CC
Alaris TIVA

Versions: Gateway Workstation: 1.1.3 Build 10, 1.1.3 MR Build 11, 1.2 Build 15, 1.3.0 Build 14, 1.3.1 Build 13; Other products: Software Version 2.3.6 and below

Operating Systems: Embedded/medical device firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Latest firmware versions 1.3.2 and 1.6.1 are not affected. This is a medical device vulnerability requiring special handling.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing manipulation of medication delivery, patient data exposure, or device bricking that could directly impact patient care.

🟠

Likely Case

Unauthorized firmware installation leading to device malfunction, data theft, or disruption of medical workflows.

🟢

If Mitigated

Limited impact if network segmentation and strict access controls prevent unauthorized access to firmware update interfaces.

🌐 Internet-Facing: MEDIUM - While medical devices shouldn't be internet-facing, misconfigurations could expose them.

🏢 Internal Only: HIGH - Attackers with network access can exploit this vulnerability to compromise devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to firmware update functionality but doesn't require authentication. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Gateway Workstation: 1.3.2 or 1.6.1; Other products: Software Version above 2.3.6

Vendor Advisory: https://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletins/alaris-gateway-workstation-unauthorized-firmware

Restart Required: Yes

Instructions:

1. Contact BD technical support for firmware update packages. 2. Schedule maintenance window. 3. Backup device configurations. 4. Apply firmware update following BD's official procedures. 5. Verify successful update and functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate medical devices on separate VLANs with strict firewall rules preventing unauthorized access to firmware update interfaces.

Access Control

all

Implement strict authentication and authorization controls for accessing device management interfaces.

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable devices from general network traffic
Monitor network traffic to/from medical devices for unauthorized firmware update attempts

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via device interface or management console. Compare against affected versions list.

Check Version:

Device-specific: Check via device display or management interface (no universal command)

Verify Fix Applied:

Verify firmware version shows 1.3.2, 1.6.1, or software version above 2.3.6. Test firmware update functionality with authorized procedures only.

📡 Detection & Monitoring

Log Indicators:

Unauthorized firmware update attempts
Unexpected device reboots
Firmware version changes

Network Indicators:

Unexpected traffic to firmware update ports
Large file transfers to medical devices

SIEM Query:

source_ip IN (medical_device_subnet) AND (port:80 OR port:443) AND bytes_transferred > 100MB

📊 Metadata

CVE ID: CVE-2019-10959

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-434

Published: June 13, 2019

Last Updated: November 21, 2024

🔗 References

http://www.securityfocus.com/bid/108765 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSMA-19-164-01 Mitigation,Third Party Advisory,US Government Resource
https://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletins/alaris-gateway-workstation-unauthorized-firmware Vendor Advisory
http://www.securityfocus.com/bid/108765 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSMA-19-164-01 Mitigation,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-10959, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Alaris Cc Syringe Pump Firmware by Bd

Alaris Gateway Workstation Firmware by Bd

Alaris Gateway Workstation Firmware by Bd

Alaris Gateway Workstation Firmware by Bd

Alaris Gateway Workstation Firmware by Bd

Alaris Gateway Workstation Firmware by Bd

Alaris Gh Syringe Pump Firmware by Bd

Alaris Gs Syringe Pump Firmware by Bd

Alaris Tiva Syringe Pump Firmware by Bd

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Access Control

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities