Third-Party 

Product Security Bulletin for Treck TCP/IP Stack Vulnerabilities

Background

This notification is voluntarily reported by BD to the U.S. Department of Homeland Security (DHS) and the U.S. Food and Drug Administration (FDA).

BD has established a routine practice of seeking, communicating, and addressing potential cybersecurity vulnerabilities affecting our products and/or related systems in a timely fashion. Vulnerability disclosure is an essential component to BD’s approach to transparency by enabling customers to properly manage potential risk.

In the spirit of collaboration, BD also voluntarily reported the contents of this bulletin to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the Health Information Sharing and Analysis Center (H-ISAC).

Background

BD has assessed nineteen announced vulnerabilities with the potential to impact third-party embedded devices utilizing Treck TCP/IP stack, which is a third-party component used to facilitate networking communication protocols. These vulnerabilities are not exclusive to BD or medical devices that use Treck TCP/IP networking stack. BD is providing this notification to educate customers on which BD products could be affected by these third-party vulnerabilities and under what conditions. BD has not received any reports of these third-party vulnerabilities being exploited on BD products.

Products in Scope

BD has discovered that two BD product suites include third-party components that utilize the Treck TCP/IP networking stack.

Three BD Kiestra™ products include a third-party Schneider Electric APC Uninterruptible Power Supply (UPS) for backup battery power, which utilizes the Treck TCP/IP stack.

  • BD Kiestra™ Total Lab Automation (TLA) with a System Control Unit (SCU)
  • BD Kiestra™ Work Cell Automation (WCA) with a System Control Unit (SCU)
  • BD Kiestra™ ReadA standalone with a System Control Unit (SCU)

Two peripheral technologies used with BD Rowa™ Vmax contain third-party Beck PLC controllers (SCL143L and SCL143LF) for control functionality, which utilize the Treck TCP/IP stack.

  • BD Rowa™ conveyor technology
  • BD Rowa™ label printer

Vulnerability Details

The BD Kiestra™ Systems with SCU use the APC UPS to ensure that the system gracefully shuts down in the event of a power outage. The APC UPS, which the SCU within the BD Kiestra™ Systems utilizes, could potentially be affected by four of the nineteen Treck TCP/IP networking stack vulnerabilities, specifically CVE-2020-11896, CVE-2020-11897, CVE-2020-11901, and CVE-2020-11898. If these vulnerabilities were exploited, the APC UPS would disconnect and not provide electrical power to the BD Kiestra™ System in the event of a power outage.

If a customer experiences a power outage and the BD Kiestra™ System has no battery power left from the APC UPS, the BD Kiestra™ System will perform a hard shutdown. An unauthorized user would not have access to or be able to perform remote commands on the APC UPS or BD Kiestra™ System.

Beck PLC controllers (SCL143L and SCL143LF) which the BD Rowa™ conveyor technology and BD Rowa™ label printer utilize for control functionality are affected by twelve of the nineteen announced Treck TCP/IP networking stack vulnerabilities, specifically, CVE-2020-11896, CVE-2020-11897, CVE-2020-11898, CVE-2020-11901, CVE-2020-11900, CVE-2020-11902, CVE-2020-11904, CVE-2020-11899, CVE-2020-11903, CVE-2020-11905, CVE-2020-11906, and CVE-2020-11907. If exploited an unauthorized user could potentially cause a denial of service attack on the BD Rowa™ conveyer technology and BD Rowa™ label printer, which could potentially render the systems inoperable. An unauthorized user would not be able to perform remote commands on the systems or have access to the connected BD Rowa™ Vmax.

Product Security Assessment and Vulnerability Score

BD has assessed the following third-party vulnerabilities using the Common Vulnerability Scoring System (CVSS) version 3.1 https://www.first.org/cvss/.

BD Kiestra™ Systems: 5.1 (Medium) AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Rationale: To exploit these vulnerabilities, an unauthorized user would need local access to the same internal network that the APC UPS is connected to. Since specialized access conditions and/or extenuating circumstances are needed for an exploit to occur, the attack complexity is high. No user privileges or interaction are required to exploit this vulnerability. The scope of a potential attack remains unchanged and these vulnerabilities have no impact on the confidentiality and integrity of the system. Exploiting these vulnerabilities could potentially have a high impact on the availability of the APC UPS.

BD Rowa™ Conveyor technology: 2.9 (Low) AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Rationale: An unauthorized user would need local access, such as the system’s internal network, to exploit these vulnerabilities. Since specialized access conditions and/or extenuating circumstances are needed for an exploit to occur, the attack complexity is high. No user privileges or interaction are required to exploit this vulnerability. The scope of a potential attack remains unchanged and these vulnerabilities have no impact on the confidentiality and integrity of the system. Exploiting these vulnerabilities could potentially have a low impact on the availability of the system.

BD Rowa™ Label printer: 4.0 (Medium) AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Rationale: An unauthorized user would need local access, such as the system’s internal network, to exploit these vulnerabilities. An unauthorized user would need specialized access conditions and/or extenuating circumstances to exploit these vulnerabilities. No user privileges or interaction are required to exploit this vulnerability. The scope of a potential attack remains unchanged and these vulnerabilities have no impact on the confidentiality of the system. Exploiting these vulnerabilities could potentially have a low impact on the integrity and the availability of the system.

Clinical Risk Assessment and Patient Safety Impact

Based on the risk evaluation for these vulnerabilities, the potential risks are negligible. The products in scope are peripheral components and are not connected directly to patients. They are used in restricted facilities with controlled physical access, such as labs and pharmacies. BD has not received any reports of these third-party vulnerabilities being exploited on BD products.

If exploited, the APC UPS (Uninterruptable Power Supply) may not provide backup battery power to the BD Kiestra™ System in the event of a power outage. If the BD Kiestra™ System loses power, the BD Kiestra™ System would perform a hard shut down and lab results could potentially be delayed. Continuous monitoring of the availability of the APC UPS is already in place.

If exploited, the BD Rowa™ conveyor technology and BD Rowa™ label printer may become inoperable. While the BD Rowa™ label printer prints sensitive data, the probability of an unauthorized user modifying sensitive data is extremely low due to the BD Rowa™ label printer’s lack of connectivity to external facing networks.

Mitigations & Compensating Controls

Begin Update A: October 15, 2020

BD is currently working to test and validate the patch for BD products that utilize the affected third-party components. Please see the Product Security Patching website for all approved product security patching notifications.

End Update A: October 15, 2020

Additionally, BD recommends the following mitigations and compensating controls to help our customers reduce risks associated with these third-party Treck TCP/IP stack vulnerabilities.

BD recommends the following mitigations and compensating controls to help our customers reduce risks associated with these third-party Treck TCP/IP stack vulnerabilities.

BD Kiestra™ Total Lab Automation (TLA) with a SCU, BD Kiestra™ Work Cell Automation (WCA) with a SCU, and BD Kiestra™ ReadA standalone with a SCU

  • Consider using a UPS provided by customer IT departments
  • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures.
  • Customers with Intrusion Detection Systems (IDS) should consider monitoring wireless networks for potential malicious activity.
  • Minimize network exposure to devices and ensure devices are not accessible from the internet unless essential.

BD Rowa™ Conveyor technology and BD Rowa™ Label printer

  • Whenever possible, the BD Rowa™ Vmax should operate on an isolated network behind a firewall.
  • Ensure remote access methods to the BD Rowa™ Vmax are secure.
  • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures.
  • Customers with Intrusion Detection Systems (IDS) should consider monitoring networks for potential malicious activity.
  • Minimize network exposure to devices and ensure devices are not accessible from the internet unless essential.

Original Publication Date: July 30, 2020
Last Updated: October 15, 2020

Additional Resources

For more information on BD's proactive approach to product security and vulnerability management, contact our Product Security Office: https://www.bd.com/productsecurity
July 2020

Product Security Bulletin for Third-Party Treck Vulnerabilities

BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.

BD
Franklin Lakes, NJ
07417
United States

bd.com
© 2020 BD

Chat with us
Our live chat is available between the hours of 8.30am - 5.00pm EST, Monday - Friday
×