This notification is voluntarily reported by BD to the U.S. Department of Homeland Security (DHS) and the U.S Food and Drug Administration (FDA).
This third-party product security bulletin is not related to the BD Alaris™ System Recall Notification issued on Feb. 4, 2020.
BD has established a routine practice of seeking, communicating, and addressing potential cybersecurity vulnerabilities affecting our products and/or related systems in a timely fashion. Vulnerability disclosure is an essential component to BD’s approach to transparency by enabling customers to properly manage potential risk.
This notification provides product security information and recommendations related to a security vulnerability found within the Linux Kernel v4.4.97, which is a third-party open source kernel the Laird Wireless Network Module WB40N uses to facilitate the Wi-Fi connectivity of wireless devices and instruments. The BD Alaris™ PC Unit 8015 uses the Laird Wireless Module WB40N for wireless communication.
The contents of this notification will be disclosed publicly on the BD Product Security website. In the spirit of collaboration, BD also voluntarily reported the contents of this bulletin to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the Health Information Sharing and Analysis Center (H-ISAC).
BD has been made aware of a third-party vulnerability that applies to the Linux Kernel v4.4.97, which the Laird Wireless Network Module WB40N utilizes. The BD Alaris™ PC Unit 8015 uses the Laird Wireless Network Module WB40N for wireless communication. Therefore, BD customers who use the third-party Linux Kernel v4.4.97 with the BD Alaris™ PC Unit 8015 to facilitate Wi-Fi connectivity could potentially be impacted by this third-party vulnerability.
This vulnerability is not exclusive to BD or medical devices. BD is providing this update to educate customers on which BD products could be affected by this third-party vulnerability.
BD has received no reports of exploits related to BD products being impacted because of this third-party vulnerability.
This notification applies to customers that utilize the Laird Wireless Module WB40N for wireless connectivity. This vulnerability does not apply to customers who do not use the wireless capabilities or other approved wireless cards in the BD Alaris™ PCU Unit.
Versions of the BD Alaris™ PCU Unit that could utilize the Laird Wireless Module WB40N include 9.13, 9.19, 9.33, and 12.1.
CVE-2019-11479: Linux Kernel Low MSS Value Response Segmentation Resource Consumption Remote DoS
This vulnerability applies to the Linux Kernel v4.4.97 within the Laird Wireless Module WB40N, which the BD Alaris™ PC Unit utilizes for wireless communication. If exploited, this vulnerability could allow an unauthorized user to cause a denial of service attack on the target system and potentially cause the BD Alaris™ PC unit to disconnect from the facility’s network. The connected Alaris™ modules would continue to operate as programmed, while the BD Alaris™ PC unit automatically recovers and reconnects to the network. Wireless functionality operates independently from the pump system and a disruption in wireless connectivity would not affect pump module functionality. BD has received no reports of exploits related to BD products being impacted by this third-party vulnerability.
Based on the risk evaluation for this vulnerability, the potential risk is negligible. If exploited, this third-party vulnerability could lead to a drop in the wireless communication of the BD Alaris™ PC Unit. The Alaris™ PC Unit and attached modules would continue to function as programmed. Guardrails Safety Software would still be available; however, network-based services such as interoperability would not be available.
Exploiting this vulnerability would not provide administration access to the BD Alaris™ PC Unit or the BD Alaris™ Systems Manager. An unauthorized user would not be able to gain permissions or be able to perform remote commands for the BD Alaris™ PC Unit. If the wireless connection were dropped, the BD Alaris™ PC Unit and attached modules would continue to function as intended without a wireless connection.
BD has assessed the following vulnerability using the Common Vulnerability Scoring System (CVSS) version 3.0 (https://www.first.org/cvss/):
Rationale: Accessibility to the same network that the device is connected to, for example the local Wi-Fi, is a prerequisite for an attack to occur. Specialized access conditions and/or extenuating circumstances are not needed; therefore, the attack complexity is low. No user privileges or interaction are required to exploit this vulnerability. The scope of a potential attack remains unchanged and this vulnerability has no impact on the confidentiality and integrity of the system. This vulnerability could have a low impact on the availability of the customer network if a denial of service attack were successful.
While the Linux Kernel is a third-party component, BD products utilize it for connectivity. Therefore, we recommend the following mitigations and compensating controls to help our customers reduce the risks associated with this third-party vulnerability:
For more information on BD’s proactive approach to product security and vulnerability management, contact our Product Security Office:
Product Security Bulletin for BD Alaris™ PC Unit
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.
Franklin Lakes, NJ