It applies to BD products in scope listed below. BD engages in proactive communication around cybersecurity issues that have the potential to either directly or indirectly impact our products. Vulnerability disclosure is an essential component of BD's culture of transparency to help ensure that customers have the necessary information to properly assess potential cybersecurity risk, even those caused by third-party software and/or operating systems.

BD is committed to providing safe and secure products to our customers given the important benefits they provide to patient health. We value the confidentiality, integrity and availability of all protected health and personally identifiable information (e.g. PHI, PII) in accordance with all applicable federal and state privacy and security laws, including the Health Insurance Portability and Accountability Act.

This notification provides product security information and recommendations related to a product security vulnerability found in the following BD Kiestra Systems: BD Kiestra TLA, BD Kiestra WCA and BD InoqulA+ specimen processor. The contents of this notification will be disclosed publicly on the BD Product Security website (www.bd.com/productsecurity) and is voluntarily reported by BD with Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the National Health Information Sharing and Analysis Center (NH-ISAC) to optimally reach past and present customers.

--------- Begin Update B: October 2, 2018 ---------

This updated advisory provides a confirmation of mitigations to the original advisory titled Product security bulletin for BD Kiestra TLA, BD Kiestra WCA, BD InoqulA that was originally published May 22, 2018.

Mitigations & Compensating Controls

BD has developed and deployed a mitigation that prevents authorized users with access to a privileged account on a BD Kiestra system to trigger SQL functions. This mitigation also remediates a limited set of ePHI patient data that can be exposed when a privileged user executes a select SQL statement in the ReadA Overview. BD is in the process of deploying the mitigation remotely or on premise, depending on customer preference.

• When configuring new programs through the 'Configuring Programs' function in Database (BD) Manager version 3.0.1.0, the export-import function will no longer prompt the user with a pop-up window to enter SQL statements.
• ReadA Overview, version 1.1.0.2 and previous versions, will no longer prompt the user with a pop-up window to enter SQL statements.
• PerformA, version 3.0.0.0 and previous versions, will no longer allow BD personnel to execute SQL statements because permissions have been changed to read only.

Customers should ensure access to BD Kiestra Systems are closely monitored while continuing to implement best security practices to effectively prevent unauthorized access to BD Kiestra Systems.

For product support or site-specific concerns, please contact your regional customer service representative. North America customers may contact Lab Automation Regional Phone Support via email lab_automation_phone_support@bd.com or by phone 1-800-638-8663. EMEA customers may contact Customer Service Desk via email csd@bd.com or via phone +31 512 540 623.

--------- End Update B: October 2, 2018 ---------

This vulnerability has been assessed for patient safety by BD and represents a controlled risk with low probability of harm to the patient directly. If this particular functionality were to be exposed due to misuse or malicious abuse, this could lead to a loss of data or corruption of data. This could potentially cause a delay in test results being reported to the clinician, which could lead to a delay in diagnosis and/or treatment.

Risk Summary

BD has conducted internal risk assessments for the vulnerable applications and collaborated with the U.S. Department of Homeland Security (DHS) and Food and Drug Administration (FDA) to review baseline Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within your own organization.

DB Manager, version 3.0.1.0
PerformA, version 3.0.0.0 and previous versions 
5.6 Medium CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H
Note: PerformA is used by BD authorized service personnel only

Adjacent access is required to exploit this vulnerability. Attack complexity is high based on needing access to a privileged account on a BD Kiestra system. Only users with higher level access privileges have access to the vulnerable function. A user interface is necessary to carry out an attack. The scope is unchanged as executing a SQL attack would only affect the local system. Confidentiality is not at risk because SQL select statements will not return values nor are they visible through a user interface. 

Authorized users with privileged access could affect the integrity of data and availability of the system. If successful, a privileged user may gain access to the Database Management functionally which grants full administrative control of data stored in the database. This vulnerability cannot be exploited remotely. You must have physical access to the sub-network shared by the BD Kiestra system.

ReadA Overview, version 1.1.0.2 and previous versions 
6.3 Medium CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Adjacent access is required to exploit this vulnerability. Attack complexity is high based on having access to a privileged account on a BD Kiestra system. Only users with higher level access privileges have access to the vulnerable function. A user interface is necessary to carry out this attack. The scope is unchanged as executing a SQL attack would only affect the local system. 

Authorized users with privileged access could affect the confidentiality, integrity of data and availability of the BD Kiestra systems. If successful, a privileged user may gain access to the Database Management functionally which grants full control of data stored in database. This vulnerability cannot be exploited remotely. You must have physical access to the sub-network shared by the BD Kiestra system.