The notification applies to BD’s Alaris PC unit, model 8015, versions 9.33.1 and earlier, as well as the Alaris systems manager, versions 4.33 and earlier, according to a news release.
BD was made aware of a network session vulnerability within the authentication process between specified versions of the Alaris PC unit and systems manager. The vulnerability could allow an unauthorized user to establish a direct networking session between the two products if exploited. The company has received no reports of exploits related to the vulnerability. Medigate reported the vulnerability to BD.
In order to exploit the vulnerability, the user would need access to the customer’s wireless network, redirect the PC unit’s authentication requests with a custom code and complete an authentication handshake, BD said. If successful, the user could deny service on the PC unit by modifying the configuration headers of data in transit, potentially causing a drop in the wireless capability of the unit.
Potential impacts include the inability to pre-populate the Alaris PC unit with infusion parameters and the inability to wirelessly send data to the PC unit. However, exploitation would not provide administration access to either affected products, meaning an unauthorized user would not be able to gain permissions or perform remote commands.
BD is addressing the vulnerability with an upcoming version of the PC unit software along with Alaris systems manager v12.0.1, v12.0.2, v12.1.0 and v12.1.1.
More than 60% of systems manager installations have already been updated to a version that addresses the vulnerability, according to BD, which recommends that customers enable the firewall on the systems manager, while the systems manager should be considered a critical service and be operated on a secured network.
BD has had to grapple not only with the effects of the COVID-19 pandemic but also with a hold on shipments of its Alaris infusion pumps as it prepares a comprehensive 510(k) submission for FDA that covers a host of software fixes needed after a Class I recall. The company expects to submit the 510(k) in late Q2 or early Q3 (around spring 2021), CEO Thomas Polen said during a Nov. 5 earnings call.