Product security bulletin for Meltdown and Spectre

Updated January 12, 2018

Background


BD is currently monitoring the Meltdown and Spectre vulnerabilities. While these vulnerabilities are hardware-based, they impact multiple operating systems. A flaw in computer chips could allow malicious software to gain access into other processes and data on any impacted computer or server, including cloud applications. These vulnerabilities are not exclusive to BD or medical devices. It potentially affects every computer and/or device with a computer processor unit (CPU).

Response

BD has assessed these vulnerabilities and identified the risk to have a low-impact. Any attack would require local or physical access, the difficulty in exploiting these vulnerabilities is high and the vulnerabilities do not have the potential to corrupt, modify, or delete data.

As a result of these events, BD recommends the following for systems with a vulnerable processor and an unpatched operating system with any form of network connectivity to minimize risk and impact:

    • Ensure the following patches have been applied to your devices:
      • Microsoft Advisory: Apply patches for ADV180002, updated January 2018.
      • As part of our ongoing efforts to provide security, reliability and availability for your BD products, we test and approve applicable Microsoft patches that Microsoft identifies as being Critical or Security related. BD is expediting validation efforts for the Microsoft patches released for Meltdown and Spectre vulnerabilities.
    • Apply any applicable firmware update provided by your device manufacturer.
    • Ensure your data has been backed up and stored according to your individual process and that your disaster recovery procedures are in place.
    • Update your malware protection, where available.

Note: Intel™ has released a statement noting these exploits do not have the potential to corrupt, modify or delete data.

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s).

Products in Scope

BD has provided the list below in order to better help our customers identify any BD products with a computer chip that has the potential to be vulnerable to these threats. The list below of BD products is currently dynamic and will be updated as we complete analysis of products in scope.

  • Accuri C6 Gen II
  • Accuri C6 Plus
  • Alaris Systems Manager
  • BD Assurity Linc™
  • BD BACTEC™ 9050
  • BD BACTEC™ 9120/9240
  • BD BACTEC™ FX
  • BD BACTEC™ FX40
  • BD Data Innovations™
  • BD EpiCenter™
  • FACSAria Fusion
  • FACSAria I/II/III
  • FACSCalibur
  • FACSCanto 10-color
  • FACSCanto 10-color clinical
  • FACSCanto II
  • FACSCanto II clinical
  • FACSCelesta
  • FACSCount
  • FACSDuet Sample Prep (ASaP)
  • FACSJazz
  • FACSLink Interface
  • FACSLyric
  • FACSMelody
  • FACSPresto
  • FACSSample Prep Assistant (SPA) III
  • FACSVerse
  • FACSVia
  • BD Focal Point™ Slide Profiler
  • GenCell CliC
  • Influx
  • BD Kiestra™ InoquIA+
  • BD Kiestra™ TLA/WCA
  • LSR II
  • LSRFortessa
  • LSRFortessa X-20
  • Lyse Wash Assistant (LWA)
  • Panel Designer
  • BD Phoenix™ 100
  • BD Phoenix™ AP
  • BD Phoenix™ M50
  • BD PrepStain
  • BD Probetec™ ET
  • Pyxis Anesthesia ES
  • Pyxis Anesthesia System 3500
  • Pyxis Anesthesia System 4000
  • Pyxis CathRack v8
  • Pyxis CIISafe
  • Pyxis CUBIE Replenishment Station
  • Pyxis DuoStation
  • Pyxis EcoStation System
  • Pyxis MedStation 3500
  • Pyxis MedStation 4000
  • Pyxis MedStation ES
  • Pyxis ParAssist System
  • Pyxis Parx
  • Pyxis Parx handheld
  • Pyxis ProcedureStation
  • Pyxis Specimen Collection Verification (SCV)
  • Pyxis® Infant Care Verification (ICV)
  • Pyxis® Medication Administration (MA)
  • Pyxis® Nursing Data Collection (NDC)
  • Pyxis® Transfusion Verification (TV
  • Pyxis Supply Roller
  • Pyxis SupplyStation
  • Rowa Smart
  • Rowa Vmax
  • BD Totalys™ Slide Prep
  • BD Veritor™ Plus System
  • BD Viper LT™



Note: This list provided above does not indicate the patch or device status. The intended use of these products does not include email and/or internet browsing. BD is determining compensating controls and prioritizing patch validation and impact for all hosted solutions, including MedMinded and Knowledge Portal.

Questions

For product or site-specific concerns, contact your BD service representative. We will update this communication as new information becomes available.

For procedures specific to your product, contact your BD service representative. If you observe symptoms of a ransomware attack, disconnect your system from the network and contact your BD service representative and/or BD Product Security at ProductSecurity@bd.com.

Additional Resources

https://meltdownattack.com/

US-CERT Notice: Vulnerability Note VU#584653