BD is aware of and is monitoring multiple vulnerabilities in third-party vendor BusyBox software. These vulnerabilities are not exclusive to BD nor to medical devices. BD is providing this update to educate customers on which BD products could be affected by these third-party vulnerabilities.
These third-party vulnerabilities, if exploited, may allow an unauthorized user with access to the customer’s wireless network to gain access to a customer’s wireless credentials or other sensitive information by sending a crafted Dynamic Host Configuration Protocol (DHCP) message.
This vulnerability was reported to BD by security vendor Palo Alto Networks. However, BD has not received any reports of these third-party vulnerabilities being exploited on BD products.
The product lists below are available to customers to help identify existing BD products that utilize the affected BusyBox software components. The lists may be updated as more products are identified. Please check back periodically for updates and security patch notifications.
The BD products listed below are in scope for CVE-2016-2148, CVE-2018-20679, and CVE-2019-5747:
*Only applies to devices containing the 802.11 a/b/g/n Wireless Network Card on the back of the BD Alaris™ PC Unit, Model 8015.
The BD product listed below is in scope for CVE-2018-1000517:
A clinical risk assessment and patient safety impact was not completed for BD Alaris™ PC Unit, Model 8015 because the vulnerability is limited to the wireless card (while the attack is in process) and neither the integrity nor availability of the pump is impacted by this vulnerability.
A successful attack on the BD FocalPoint™ Slide Profiler APPS Workstation may impact system availability (i.e., may cause system downtime, requiring a service visit). As cervical cytology slides can be evaluated manually when the system is unavailable, lack of system availability is not anticipated to introduce a significant delay in results reporting.
BD is currently working to remediate this vulnerability for BD products that use the affected third-party components. Please refer to the Bulletins and Patches page for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize the affected software:
For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.