BD Alaris Plus vulnerability
Global medical tech company BD has more than 40,000 associates across 50 countries. BD Alaris Plus is a platform with capabilities to protect patients and clinicians from medication errors by facilitating the prevention of IV medication errors.
BD Alaris Plus was discovered by Elad Luz of CyberMDX to have a vulnerability in its medical syringe pump when connected via serial port thus allowing remote access. The vulnerability was found in non-United States software versions 2.3.6 and prior (models GS, GH, CC, and TIVA.)
This vulnerability was expediently reported by BD to ICS-CERT and the National Health Information Sharing and Analysis Center. BD no longer sells these pumps and highly discourages utilizing a serial port to terminal configuration in its use.
BD has recommended the following compensating controls: Do not use terminal servers with this device; utilize these devices on a segmented network or as stand-alone; and, utilize an Alaris Gateway Workstation dock.
]]>