Skip to main content

CVE-2022-43557: CWE-1299 Missing Protection Mechanism for Alternate Hardware Interface in Becton, Dickinson and Company (BD) BodyGuard™ Pump

Medium
Published: Mon Dec 05 2022 (12/05/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: Becton, Dickinson and Company (BD)
Product: BodyGuard™ Pump

Description

The BD BodyGuard™ infusion pumps specified allow for access through the RS-232 (serial) port interface. If exploited, threat actors with physical access, specialized equipment and knowledge may be able to configure or disable the pump. No electronic protected health information (ePHI), protected health information (PHI) or personally identifiable information (PII) is stored in the pump.

AI-Powered Analysis

AILast updated: 06/22/2025, 08:36:47 UTC

Technical Analysis

CVE-2022-43557 identifies a security vulnerability in the Becton, Dickinson and Company (BD) BodyGuard™ infusion pumps, specifically related to the RS-232 serial port interface. The vulnerability is classified under CWE-1299, which refers to a missing protection mechanism for an alternate hardware interface. In this case, the RS-232 port on the affected infusion pumps allows physical access to the device's configuration and operational controls without adequate security protections. Exploitation requires an attacker to have physical access to the pump, specialized equipment to interface with the serial port, and technical knowledge to manipulate the device. If successfully exploited, the attacker could potentially configure or disable the pump, impacting its intended medical functionality. Importantly, the pumps do not store electronic protected health information (ePHI), protected health information (PHI), or personally identifiable information (PII), so the confidentiality risk to patient data is minimal. However, the integrity and availability of the medical device are at risk, which could directly affect patient safety. The affected product versions include multiple editions of the BD BodyGuard™ and CME BodyGuard™ 323 series pumps. No public exploits have been reported in the wild, and no patches or firmware updates have been linked to this vulnerability as of the published date. The vulnerability was reserved in October 2022 and published in December 2022, with a medium severity rating assigned by the vendor. The lack of electronic data exposure reduces the risk of data breaches, but the ability to alter or disable the pump raises concerns about potential disruption to critical infusion therapy in clinical settings.

Potential Impact

For European healthcare organizations, this vulnerability poses a risk primarily to the availability and integrity of infusion therapy devices. Successful exploitation could lead to pump misconfiguration or shutdown, potentially interrupting critical medication delivery to patients. This could result in adverse patient outcomes, especially in intensive care units or other high-dependency medical environments where infusion pumps are essential. While no patient data is at risk, the disruption of medical device functionality could increase the burden on healthcare staff and compromise patient safety. The requirement for physical access and specialized equipment limits the threat to insider attacks or targeted physical breaches rather than remote cyberattacks. However, given the critical role of infusion pumps in hospitals, any disruption could have significant operational and clinical impact. European healthcare providers relying on BD BodyGuard™ pumps should be aware of this risk, particularly in facilities with less stringent physical security controls or where devices are accessible to multiple personnel. The impact is less likely to extend beyond healthcare settings due to the specialized nature of the device and exploitation requirements.

Mitigation Recommendations

1. Enforce strict physical security controls around infusion pumps, including secure storage and restricted access to devices, especially when not in use. 2. Implement inventory management and regular audits of infusion pumps to detect unauthorized access or tampering. 3. Train clinical and technical staff to recognize signs of device tampering or malfunction that could indicate exploitation attempts. 4. Collaborate with BD to monitor for firmware updates or patches addressing this vulnerability and apply them promptly once available. 5. Consider deploying tamper-evident seals or locks on serial port interfaces to deter unauthorized physical access. 6. Develop incident response procedures specific to infusion pump failures or suspicious behavior to ensure rapid mitigation and patient safety. 7. Evaluate alternative infusion pump models with enhanced hardware interface protections for future procurement decisions. 8. Limit the use of serial port interfaces for routine device management unless absolutely necessary, and document all access events.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
BD
Date Reserved
2022-10-20T00:00:00.000Z
Cisa Enriched
true

Threat ID: 682d9847c4522896dcbf55a7

Added to database: 5/21/2025, 9:09:27 AM

Last enriched: 6/22/2025, 8:36:47 AM

Last updated: 8/9/2025, 12:51:14 AM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats