Description
Becton, Dickinson and Company (BD) Alaris Plus medical syringe pumps (models Alaris GS, Alaris GH, Alaris CC, and Alaris TIVA) versions 2.3.6 and prior are affected by an improper authentication vulnerability where the software does not perform authentication for functionality that requires a provable user identity, where it may allow a remote attacker to gain unauthorized access to various Alaris Syringe pumps and impact the intended operation of the pump when it is connected to a terminal server via the serial port.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/105147
Vendor Advisory x_refsource_confirm
http://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletin-for-various-alaris-plus-syringe-pumps-sold-and-in-use-outside-the-united-states
Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSMA-18-235-01
Scores
CVSS v3
9.4
EPSS
0.0306
EPSS Percentile
85.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (4)
bd/alaris_cc_firmware
< 2.3.6
bd/alaris_gh_firmware
< 2.3.6
bd/alaris_gs_firmware
< 2.3.6
bd/alaris_tiva_firmware
< 2.3.6
Published
Aug 23, 2018
Tracked Since
Feb 18, 2026