The Alaris Gateway Workstation (AWG) is a system that connects a drug delivery pump with patient data management systems and works with Windows EC. However, they were found two vulnerabilities that could allow hackers to turn off the device, install malicious software, report false information, but also to do more dangerous things, such as controlling pumps and changing doses of drugs.
Alaris Gateway Workstation
Alaris Gateway Workstations was created by the American medical device manufacturing company, Becton, Dickinson and Company (BD), and used in hospitals and clinics, in 50 countries, in Europe and Asia.
AWGs help to improve the operation of injection pumps, used in a wide range of treatments: drug delivery, blood transfusions, chemotherapy, hemodialysis, anesthesia,
Vulnerabilities were discovered by Elad Luz, a researcher at CyberMDX, which offers security solutions to health care providers.
One vulnerability, the CVE-2019-10959 is in the firmware of the workstation. Vulnerability gives it an attacker can download maliciously archives, during a firmware update.
In order for a hacker to use the vulnerability, he / she must first gain access to a hospital's network, know the product well, and be able to update and handle a CAB file that stores files in an archived library.
If all this happens, then the attacker will be able to use the vulnerability and influence the pumps.
Additionally, in order to exploit the vulnerability, the attacker should create an executable with custom code that can run on the Windows CE environment, and create a specific installer for the CAB file with the necessary settings to run program.
The attacker could also infiltrate the machine, install a malicious program, which will act as a base for network attack, and transfer false information from the pumps.
“Due to the ease of attack, the ability to remote attack and the significant consequences, the vulnerability of firmware was rated 10/10 for its severity, ”CyberMDX notes.
The second vulnerability, CVE-2019-10962, affects the workstation web console that does not require credentials to gain access.
This means that anyone who knows the workstation IP address can monitor the pumps, access event logs, and user guide. It can also make changes to the network configuration (IP / subnet / WiFi / LAN).
And in this case, the attacker should first get access to the hospital network.
This vulnerability does not directly affect the operation of an infusion pump, as it is an online application that aims to collect data.
Impaired Publications and Risk Limitation
CVE-2019-10959 vulnerability affects AWGs that use the following firmware versions: 1.1.3 Build 10, 1.1.3 MR Build 11, 1.2 Build 15, 1.3.0 Build 14, and 1.3.1 Build 13.
It can also be found in older BD products with 2.3.6 software version.
BD informs administrators to upgrade to firmware versions 1.3.2 or 1.6.1, block SMB, and ensure that only their partners have access to the network.
Η vulnerability CVE-2019-10962 affects AWGs, using the 1.0.13 firmware versions, 1.1.3 Build 10, 1.1.3 MR Build 11, 1.1.5, and 1.1.6.
BD advises administrators to upgrade to firmware versions 1.3.2 or 1.6.1 to isolate their network from unreliable systems and allow access only to appropriate partners.