BD has issued a statement to make users aware of a BD Alaris 8015 PC Unit and BD Alaris Systems Manager Network Session Vulnerability:
As part of the company’s commitment to ensure our products are used in a safe and secure manner, BD proactively posted a security notification regarding a network session vulnerability relevant to customers using BD Alaris™ 8015 PC Unit (versions 9.33.1 and earlier) and BD Alaris™ Systems Manager (versions 4.33 and earlier).
If exploited, this vulnerability could allow an unauthorized user to attempt a denial of service attack, which could potentially disrupt the unit’s wireless capabilities. However, a disruption in wireless connectivity would not affect pump functionality. Further, this vulnerability cannot be exploited without first gaining physical access to a facility’s network and then performing multiple additional steps.
BD has received no reports of exploits in a clinical setting related to this vulnerability, and the company has published recommended compensating controls for customers using specified versions of the BD Alaris™ PC Unit and the BD Alaris™ Systems Manager to its Product Security and Privacy page at BD.com/ProductSecurity.
To maximize awareness, BD voluntarily reported this vulnerability to the U.S. Food and Drug Administration and to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the Health Information Sharing and Analysis Center (H-ISAC).
This vulnerability disclosure is not related to the BD Alaris System recall notifications issued earlier this year.