CVE-2023-30561 – Lack of Cryptographic Security of IUI Bus
https://notcve.org/view.php?id=CVE-2023-30561
The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running. • https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx • CWE-311: Missing Encryption of Sensitive Data •
CVE-2023-30560 – PCU Configuration Lacks Authentication
https://notcve.org/view.php?id=CVE-2023-30560
The configuration from the PCU can be modified without authentication using physical connection to the PCU. • https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx • CWE-287: Improper Authentication •
CVE-2023-30559 – Wireless Card Firmware Improperly Signed
https://notcve.org/view.php?id=CVE-2023-30559
The firmware update package for the wireless card is not properly signed and can be modified. • https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx • CWE-20: Improper Input Validation CWE-287: Improper Authentication CWE-345: Insufficient Verification of Data Authenticity •
CVE-2020-25165
https://notcve.org/view.php?id=CVE-2020-25165
BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier and BD Alaris Systems Manager, Versions 4.33 and earlier The affected products are vulnerable to a network session authentication vulnerability within the authentication process between specified versions of the BD Alaris PC Unit and the BD Alaris Systems Manager. If exploited, an attacker could perform a denial-of-service attack on the BD Alaris PC Unit by modifying the configuration headers of data in transit. A denial-of-service attack could lead to a drop in the wireless capability of the BD Alaris PC Unit, resulting in manual operation of the PC Unit. BD Alaris PC Unit, Model 8015, versiones 9.33.1 y anteriores y BD Alaris Systems Manager, versiones 4.33 y anteriores Los productos afectados son susceptibles a una vulnerabilidad de autenticación de sesión de red dentro del proceso de autenticación entre versiones especificadas del BD Alaris PC Unit y del BD Alaris Systems Manager. Si es explotado, un atacante podría llevar a cabo un ataque de denegación de servicio en el BD Alaris PC Unit para modificar unos encabezados de configuración de los datos en tránsito. • https://us-cert.cisa.gov/ics/advisories/icsma-20-317-01 • CWE-287: Improper Authentication •