9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.5%
Successful exploitation of these vulnerabilities could allow an attacker to compromise sensitive data, hijack a session, modify firmware, make changes to system configurations, among other system impacts.
The following versions of BD Alaris system products are affected:
3.2.1 IMPROPER INPUT VALIDATION CWE-20
In BD Alaris Point-of-Care Unit (PCU) Model 8015 v12.1.3 and prior, the firmware update package for the wireless card is not properly signed and can be modified.
CVE-2023-30559 has been assigned to this vulnerability. A CVSS v3 base score of 5.2 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H).
3.2.2 IMPROPER AUTHENTICATION CWE-287
In BD Alaris Point-of-Care Unit (PCU) Model 8015 v12.1.3 and prior, the configuration from the PCU can be modified without authentication using physical connection to the PCU.
CVE-2023-30560 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.3 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
In BD Alaris Point-of-Care Unit (PCU) Model 8015 v12.1.3 and prior, the data flowing between the PCU and its modules is insecure. A threat actor with physical access could read or modify data by attaching a specially crafted device while an infusion is running.
CVE-2023-30561 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
3.2.4 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345
BD Alaris Guardrails Editor (GRE) v12.1.2 and prior has a GRE dataset file within Systems Manager that can be tampered with and distributed to the PCUs.
CVE-2023-30562 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H).
3.2.5 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (โCROSS-SITE SCRIPTINGโ) CWE-79
In the BD Alaris Systems Manager (SM) v12.3 and prior, a malicious file could be uploaded into a System Manager User Import Function resulting in a hijacked session.
CVE-2023-30563 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).
3.2.6 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (โCROSS-SITE SCRIPTINGโ) CWE-79
BD Alaris Systems Manager (SM) v12.3 and prior does not perform input validation during the Device Import Function.
CVE-2023-30564 has been assigned to this vulnerability. A CVSS v3 base score of 6.9 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N).
3.2.7 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
An insecure connection between Systems Manager and CQI Reporter v10.17 application could expose infusion data to an attacker.
CVE-2023-30565 has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
3.2.8 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611
A lack of input validation within Apache Log4Net (due to an outdated software version) could allow a threat actor to execute malicious commands.
CVE-2018-1285 has been assigned to this vulnerability. A CVSS v3 base score of 3.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L).
BD reported these vulnerabilities to CISA.
BD has releaed BD Alaris System 12.3 with the following software, which remediates CVE-2018-1285, CVE 2023-30563, CVE 2023-30564, and CVE-2023-30565 and partially remediates CVE 2023-30562:
BD Alaris System 12.3 is no longer compatible with the CQI Reporter version 10.17 and earlier. Therefore CVE-2023-30565 no longer applies.
BD Alaris System 12.3, which includes BD Alaris Guardrails Editor version 12.1.3, partially remediates CVE-2023-30562 and reduces the CVSS score from 6.7 (Medium) to 3.0 (Low). Additional information is provided under Vulnerability Details. For additional information is please reference the updated CVSS vector string provided: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
BD recommends customers update to the BD Alaris System 12.3, where available based on regulatory authorization. Customers who require software updates should contact their BD Account Executive to assist with scheduling the remediation.
BD also updated the BD Alaris PCU Model 8015 to version 12.3.1 when the BD Alaris System 12.3 was released. The following CVEs are still present on the BD Alaris PCU Model 8015 version 12.3.1: CVE-2023-30559, CVE-2023-30560, and CVE-2023-30561. This bulletin will be updated with additional remediation information when available.
For additional information, customers may request a copy of the latest BD Alaris System Product Security White Paper by visiting the BD Cybersecurity Trust Center.
To reduce the risk associated with these vulnerabilities, BD recommends users implement the following mitigations and compensating controls:
Provide appropriate network perimeter security, such as using firewalls, or create Access Control Lists (ACL) to limit network traffic from devices to only the required ports on the required endpoints.
Users should control network access to the SM server image by restricting external access to only those addresses and ports indicated in Chapter 1 of the SM Virtual Machine Deployment Guide.
Follow Chapter 1 of the Alaris System Maintenance Software User Manual to enable an authentication challenge password for network configuration changes.
See the Network Settings section of the Alaris System Maintenance User Manual for details on how to manage these credentials.
Utilize MAC filtering on the network segment containing the BD Alaris System to restrict access to only those approved devices needed.
Periodically inspect BD Alaris System components to ensure running the correct software versions.
Adhere to industry security best practices regarding access control, identification and authorization, personnel security, and physical protection of assets, as recommended by NIST SP 800-171 Rev. 2.
Inspect the BD Alaris System prior to use for signs of tampering as indicated in the FIPS 140-2 Compliance Instructions for BD Alaris System Products Service Manual.
For more information, refer to BDโs security bulletin.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01BโTargeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1285
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-30559
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-30560
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-30561
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-30562
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-30563
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-30564
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-30565
cwe.mitre.org/data/definitions/20.html
cwe.mitre.org/data/definitions/287.html
cwe.mitre.org/data/definitions/311.html
cwe.mitre.org/data/definitions/319.html
cwe.mitre.org/data/definitions/345.html
cwe.mitre.org/data/definitions/611.html
cwe.mitre.org/data/definitions/79.html
cwe.mitre.org/data/definitions/79.html
github.com/cisagov/CSAF
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=BD%20Alaris%20System%20with%20Guardrails%20Suite%20MX%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-194-01
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx
www.bd.com/en-us/about-bd/cybersecurity?lastUpdate=all-dates#trustcenter
www.cisa.gov/resources-tools/resources/ics-recommended-practices
www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf
www.cisa.gov/topics/industrial-control-systems
www.cisa.gov/topics/industrial-control-systems
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.cisa.gov/uscert/ncas/tips/ST04-014
www.cisa.gov/uscert/sites/default/files/publications/emailscams0905.pdf
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-194-01&title=BD%20Alaris%20System%20with%20Guardrails%20Suite%20MX%20%28Update%20A%29
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-194-01
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-194-01
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=BD%20Alaris%20System%20with%20Guardrails%20Suite%20MX%20%28Update%20A%29&body=www.cisa.gov/news-events/ics-medical-advisories/icsma-23-194-01
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.5%