Dive Brief:

• Becton Dickinson disclosed on Thursday that it has identified eight cybersecurity vulnerabilities in its Alaris infusion pump system.
• The company said it discovered the weaknesses through routine testing, and there were no reports of them being exploited. 
• The U.S. Cybersecurity and Infrastructure Security Agency said in a Wednesday advisory that successful exploitation of the vulnerabilities could allow a hacker to compromise sensitive data, hijack a session, modify firmware or make changes to system configurations.

Dive Insight:

One of the eight vulnerabilities identified by BD was high risk, meaning a malicious file could be uploaded into a system manager user import function, resulting in a hijacked session. If a hacker were to gain access to the system manager application, it could impact other systems containing sensitive information, BD said.

The vulnerabilities apply to the BD Alaris System v12.1.3 and earlier. For some of them, physical access to the device would be necessary to exploit the vulnerability, but for others, the hacker would only need to have network access.

CISA said the vulnerabilities found by BD have a low attack complexity, making them easier to exploit.

The full list of vulnerabilities includes insufficient verification of data authenticity, missing authentication for critical function, improper verification of cryptographic signature, missing support for integrity check, cross-site scripting, cleartext transmission of sensitive information, and improper restriction of XML external entity reference. 

BD said in a statement that remediation and deployment planning for these vulnerabilities is currently in progress. The company said existing control measures should reduce the probability of harm.