It applies to BD products in scope listed below. BD engages in proactive communication around cybersecurity issues that have the potential to either directly or indirectly impact our products. Vulnerability disclosure is an essential component of BD's culture of transparency to help ensure that customers have the necessary information to properly assess potential cybersecurity risk, even those caused by third-party software and/or operating systems.
BD is committed to providing safe and secure products to our customers given the important benefits they provide to patient health. We value the confidentiality, integrity and availability of all protected health and personally identifiable information (e.g. PHI, PII) in accordance with all applicable federal and state privacy and security laws, including the Health Insurance Portability and Accountability Act.
This notification provides product security information and recommendations related to a product security vulnerability found in the following BD Kiestra Systems: BD Kiestra TLA, BD Kiestra WCA and BD InoqulA+ specimen processor. The contents of this notification will be disclosed publicly on the BD Product Security website (www.bd.com/productsecurity) and is voluntarily reported by BD with Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the National Health Information Sharing and Analysis Center (NH-ISAC) to optimally reach past and present customers.
--------- Begin Update B: October 2, 2018 ---------
This updated advisory provides a confirmation of mitigations to the original advisory titled Product security bulletin for BD Kiestra TLA, BD Kiestra WCA, BD InoqulA that was originally published May 22, 2018.
Mitigations & Compensating Controls
BD has developed and deployed a mitigation that prevents authorized users with access to a privileged account on a BD Kiestra system to trigger SQL functions. This mitigation also remediates a limited set of ePHI patient data that can be exposed when a privileged user executes a select SQL statement in the ReadA Overview. BD is in the process of deploying the mitigation remotely or on premise, depending on customer preference.
Customers should ensure access to BD Kiestra Systems are closely monitored while continuing to implement best security practices to effectively prevent unauthorized access to BD Kiestra Systems.
For product support or site-specific concerns, please contact your regional customer service representative. North America customers may contact Lab Automation Regional Phone Support via email lab_automation_phone_support@bd.com or by phone 1-800-638-8663. EMEA customers may contact Customer Service Desk via email csd@bd.com or via phone +31 512 540 623.
--------- End Update B: October 2, 2018 ---------
This notification applies to the following BD Kiestra systems:
All three BD Kiestra systems listed above use the following vulnerable applications:
In March 2018, BD internally identified and confirmed a vulnerability that allows authorized users with access to a privileged account on a BD Kiestra system to trigger SQL functions.
Additionally, the following limited set of ePHI patient data may be exposed when a privileged user executes a select SQL statement in the ReadA Overview. Data that can be exposed includes:
The following data fields are only populated if the BD Kiestra™ Urine Culture Application (UCA) is installed:
As of this posting, there have been no complaints or reports from customers that this vulnerability has been exploited.
This vulnerability has been assessed for patient safety by BD and represents a controlled risk with low probability of harm to the patient directly. If this particular functionality were to be exposed due to misuse or malicious abuse, this could lead to a loss of data or corruption of data. This could potentially cause a delay in test results being reported to the clinician, which could lead to a delay in diagnosis and/or treatment.
BD has conducted internal risk assessments for the vulnerable applications and collaborated with the U.S. Department of Homeland Security (DHS) and Food and Drug Administration (FDA) to review baseline Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within your own organization.
DB Manager, version 3.0.1.0
PerformA, version 3.0.0.0 and previous versions
5.6 Medium CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H
Note: PerformA is used by BD authorized service personnel only
Adjacent access is required to exploit this vulnerability. Attack complexity is high based on needing access to a privileged account on a BD Kiestra system. Only users with higher level access privileges have access to the vulnerable function. A user interface is necessary to carry out an attack. The scope is unchanged as executing a SQL attack would only affect the local system. Confidentiality is not at risk because SQL select statements will not return values nor are they visible through a user interface.
Authorized users with privileged access could affect the integrity of data and availability of the system. If successful, a privileged user may gain access to the Database Management functionally which grants full administrative control of data stored in the database. This vulnerability cannot be exploited remotely. You must have physical access to the sub-network shared by the BD Kiestra system.
ReadA Overview, version 1.1.0.2 and previous versions
6.3 Medium CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Adjacent access is required to exploit this vulnerability. Attack complexity is high based on having access to a privileged account on a BD Kiestra system. Only users with higher level access privileges have access to the vulnerable function. A user interface is necessary to carry out this attack. The scope is unchanged as executing a SQL attack would only affect the local system.
Authorized users with privileged access could affect the confidentiality, integrity of data and availability of the BD Kiestra systems. If successful, a privileged user may gain access to the Database Management functionally which grants full control of data stored in database. This vulnerability cannot be exploited remotely. You must have physical access to the sub-network shared by the BD Kiestra system.
BD intends to implement necessary mitigation controls by July 2018. This mitigation will include removing the functionality to trigger SQL functions in DB Manager, PerformA and ReadA.
Until mitigations are put in place, BD recommends the following compensating controls. These controls require customer action in order to reduce risk associated with this vulnerability:
BD Kiestra Total Laboratory Automation (TLA) System User's Manual. Page 193. Section: 26.3.11 Configuring Programs
BD Kiestra Work Cell Automation (WCA) System User's Manual. Page 191. Section: 25.3.11 Configuring Programs
BD Kiestra InoqulA+ system User's Manual. Page 109. Section: 13.3.11 Configuring Programs
BD Kiestra Total Laboratory Automation (TLA) System User's Manual. Page 187. Section: 26.3.4 Configuring users
BD Kiestra Work Cell Automation (WCA) System User's Manual. Page 185. Section: 25.3.4 Configuring users
BD Kiestra InoqulA+ system User's Manual. Page 103. Section: 13.3.4 Configuring users
BD Kiestra Total Laboratory Automation (TLA) System User's Manual. Page 187. Section: 26.3.4 Configuring users
BD Kiestra Work Cell Automation (WCA) System User's Manual. Page 185. Section: 25.3.4 Configuring users
BD Kiestra InoqulA+ system User's Manual. Page 103. Section: 13.3.4 Configuring users
For product support or site-specific concerns, North America customers may contact Lab Automation Regional Phone Support via email lab_automation_phone_support@bd.com or by phone 1-800-638-8663. EMEA customers may contact Customer Service Desk via email csd@bd.com or via phone +31 512 540 623.
You may also contact your regional customer service representative.
For more information on BD's proactive approach to product security and vulnerability management contact BD Product Security:
http://www.bd.com/productsecurity
May 2018
Product Security Bulletin for BD Kiestra TLA, BD Kiestra WCA and BD InoqulA+ specimen processor
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.
BD Franklin Lakes, NJ
07417
United States
bd.com
© 2018 BD
Last BD Publication Update: 10/02/2018
Original BD Publication Date: 05/22/2018