Product Security Bulletin for Linux Kernel Vulnerability within Wi-Fi Module in Alaris PCU

Background

This notification provides product security information and recommendations related to the third-party vulnerability found within the Linux Kernel v4.4.97 in the BD Alaris™ PC Unit 8015, which uses the Laird Wireless Network Module WB40N for wireless communication. BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC). 

This vulnerability is not exclusive to BD or medical devices. BD is providing this update to educate customers on which BD products could be affected by this third-party vulnerability.

BD has not received any reports of this third-party vulnerability exploited on BD products

BEGIN UPDATE A: Oct 26, 2023

Remediation 

BD has released the following BD Alaris™ PC Unit Software, which remediates CVE-2019-11479:

  • BD Alaris™ PC Unit Software Version 12.3.1 
  • Card Image

BD recommends that customers update to BD Alaris™ PCU version 12.3.1 software, where available, based on regulatory authorization. Customers that require software updates should contact their BD Account Executive to assist with scheduling the remediation.

END UPDATE A: Oct 26, 2023

Products in Scope

This notification applies to customers that utilize the Laird Wireless Module WB40N for wireless connectivity. This vulnerability does not apply to customers who do not use the wireless capabilities or other approved wireless cards in the BD Alaris™ PCU Unit.

Versions of the BD Alaris™ PCU Unit that could utilize the Laird Wireless Module WB40N include 9.13, 9.19, 9.33, and 12.1.

Vulnerability Details

CVE-2019-11479: Linux Kernel Low MSS Value Response Segmentation Resource Consumption Remote DoS

This vulnerability applies to the Linux Kernel v4.4.97 within the Laird Wireless Module WB40N, which the BD Alaris™ PC Unit utilizes for wireless communication. If exploited, this vulnerability could allow an unauthorized user to cause a denial of service attack on the target system and potentially cause the BD Alaris™ PC unit to disconnect from the facility’s network. The connected Alaris™ modules would continue to operate as programmed, while the BD Alaris™ PC unit automatically recovers and reconnects to the network. Wireless functionality operates independently from the pump system and a disruption in wireless connectivity would not affect pump module functionality. BD has received no reports of exploits related to BD products being impacted by this third-party vulnerability.

Clinical Risk Assessment and Patient Safety Impact

Based on the risk evaluation for this vulnerability, the potential risk is negligible. If exploited, this third-party vulnerability could lead to a drop in the wireless communication of the BD Alaris™ PC Unit. The Alaris™ PC Unit and attached modules would continue to function as programmed. Guardrails Safety Software would still be available; however, network-based services such as interoperability would not be available.

Exploiting this vulnerability would not provide administration access to the BD Alaris™ PC Unit or the BD Alaris™ Systems Manager. An unauthorized user would not be able to gain permissions or be able to perform remote commands for the BD Alaris™ PC Unit. If the wireless connection were dropped, the BD Alaris™ PC Unit and attached modules would continue to function as intended without a wireless connection.

Product Security Risk Assessment and Vulnerability Score

BD has assessed the following vulnerability using the Common Vulnerability Scoring System (CVSS) version 3.0 (https://www.first.org/cvss/):

CVE-2019-11479: 5.3 (medium) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Rationale: Accessibility to the same network that the device is connected to, for example the local Wi-Fi, is a prerequisite for an attack to occur. Specialized access conditions and/or extenuating circumstances are not needed; therefore, the attack complexity is low. No user privileges or interaction are required to exploit this vulnerability. The scope of a potential attack remains unchanged and this vulnerability has no impact on the confidentiality and integrity of the system. This vulnerability could have a low impact on the availability of the customer network if a denial of service attack were successful.

Mitigations & Compensating Controls

While the Linux Kernel is a third-party component, BD products utilize it for connectivity. Therefore, we recommend the following mitigations and compensating controls to help our customers reduce the risks associated with this third-party vulnerability:

  • Consider stronger network controls for wireless authentication, which are harder to replicate and substitute, such as enterprise versions of WPA2 protocols
  • Customers with Intrusion Detection Systems (IDS) should consider monitoring wireless networks with patient connected devices for possible malicious activity
  • BD Alaris™ Systems Manager should be considered a critical service. Whenever possible, it should operate on a secured network behind a firewall, it should be patched regularly, and should have malware protection
  • Ensure that the BD Alaris™ PC Unit and BD Alaris™ Systems Manager are separated by a firewall

For More Information

 For product- or site-specific concerns, contact your BD service representative.

Chat with us
Our live chat is available between the hours of 8.30am - 5.00pm EST, Monday - Friday
×