Today the DHS ICS-CERT published two medical control system security advisories for products from Becton, Dickinson and Company (BD) and an industrial control system advisory for products from Sielco Sistemi. Both BD advisories were previously published on the NCCIC Portal on January 17, 2017. Yesterday ICS-CERT updated their medical control system advisory for products from St. Jude; that advisory was originally published on January 9th, 2017.
BD Alaris 8015 Advisory
This advisory describes twin insufficiently protected credentials vulnerabilities in the BD Alaris 8015 Point of Care (PC) unit, which provides a common user interface for programming intravenous infusions. The vulnerabilities were self-reported, but the BD Security Bulletin reports that unnamed “independent security researchers” were involved in finding the vulnerability. The advisory provides multiple compensating controls that mitigate the vulnerability.
ICS-CERT reports that both vulnerabilities could be exploited by a relatively unskilled attacker with physical access to the devices. Both would require access to a flash drive; one installed in the unit the other one removeable. A successful exploit would allow the attacker access to the host facility’s wireless network authentication credentials and other sensitive technical data.
There is no mention of this vulnerability on the FDA Medical Device Safety Communications page.
BD Alaris 8000 Advisory
This advisory describes an insufficiently protected credentials vulnerability in the BD Alaris 8015 Point of Care (PC) unit, which provides a common user interface for programming intravenous infusions. The only difference in this advisory is that only an internal flash memory device is involved.
ICS-CERT reports that a relatively low skilled attacker with physical access to the device could exploit this vulnerability. The BD Security Bulletin, however, notes:
“Attack complexity is HIGH based on limited availability of these wireless credentials that are stored in the PCU on internal flash memory. The attacker would then have to use advanced tools to read the flash memory, decode the file system, and then locate and read the credential data. No system privilege is required and an attacker would be able to read the credential data without a user name or password.”
Sielco Sistemi Advisory
This advisory describes an uncontrolled search path element vulnerability in the Sielco Sistemi Winlog SCADA software. The vulnerability was reported by Karn Ganeshen. Sielco Sistemi has released a new version of the software to mitigate the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT did not comment on the exploitability of this vulnerability except to note that a successful exploit may allow an attacker to load a malicious DLL and execute code on the affected system with the same privileges as the application that loaded the malicious DLL.
St Jude Update
This update provides new information on:
• The versions of the device that are affected by the vulnerability; and
• How the various versions of the device may be affected.
The FDA Safety Communication about this vulnerability has not been updated with the new information.