Product Security Bulletin for Third-Party ESET Legacy Startup Issue

Background

BD is aware of and is currently monitoring a third-party application issue within ESET Security’s products, where their kernel validates a previously expired certificate (expired February 7, 2020). Please note that this is not a security vulnerability and this issue cannot be exploited by an unauthorized user. Additionally, BD has not received any reports of this third-party application issue impacting BD products.

As a result of this application issue, the impacted versions of ESET Security products fail to load modules such as firewalls, Host Intrusion Prevention System (HIPS), Updated, Device Control, Web and Email protection, causing these modules to not function. This third-party security issue, which ESET corrected with their latest security update, is not specific to BD or our products.

BD utilizes the following three ESET Security products:

  • ESET Endpoint Antivirus/ESET Endpoint Security 5
  • ESET Endpoint Antivirus/ESET Endpoint Security 6.5.2000+
  • ESET File Security for Windows 6.5.12000+

For a full list of impacted ESET Security Products please see ESET’s advisory.

Response

BD is currently working to test and validate the security update, released by ESET, for BD products that use the affected third-party products. Please see the Product Security Patching website for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize the impacted ESET products:

  • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures 

BD Products that Utilize Affected ESET Products:

The product list below is available to customers to help identify existing BD Products that utilize the affected ESET products. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.

  • BD Care Coordination Engine™ (CCE)
  • BD HealthSight™ Viewer
  • BD Patient Association Application™ (PAA)
  • BD Pyxis™ Anesthesia Station 3500
  • BD Pyxis™ Anesthesia Station 4000
  • BD Pyxis™ Anesthesia Station ES
  • BD Pyxis™ CIISafe
  • BD Pyxis™ Connect
  • BD Pyxis™ IV Prep
  • BD Pyxis™ Logistics
  • BD Pyxis™ MedStation™ 3500 System
  • BD Pyxis™ MedStation™ 4000 System
  • BD Pyxis™ MedStation™ ES Server
  • BD Pyxis™ Pharmogistics Server
  • BD Pyxis™ Point of Care Server
  • BD Pyxis™ ScrubStation System
  • BD Pyxis™ Server ES
  • BD Pyxis™ SupplyStation™ SupplyCenter Server
  • BD Pyxis™ SupplyStation™ SupplyServer Client
  • BD Pyxis™ SupplyStation™ SupplyStation
  • BD Pyxis™ Virtual Test System
  • BD Tissue and Implant Module™ (TIM)

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s).

  • Ensure ESET Security is updated to at least version 5.0.2272.7

Response

BD is currently working to test and validate the patch(es) for BD products that use the affected third-party component. Please refer to Bulletins and Patches for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using the above listed BD products that utilize affected LibSSH software:

  • Firewall all wireless segments: Institute a firewall between patient-critical systems and the rest of the network. This will further restrict access from outside attackers and create of firewall rules to address threats much easier to implement.
    • Ensure that the firewall restricts the critical port 2222.
  • Active Network Monitoring: Review malicious activity on the wireless network segments where the pumps reside
  • Strong Network Authentication Passwords: Use a strong password for wireless network authentication (i.e., 31 characters long, mixed mode with special characters and numbers).
  • Nursing Education: Nurses should be instructed to ignore drug library updates unless directed to implement by hospital internal resources. Unplanned drug library events without prior notification may not be valid.

Additional Resources

For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.

Chat with us
Our live chat is available between the hours of 8.30am - 5.00pm EST, Monday - Friday
×