true

Third-party Vulnerability

Third-Party Vulnerability: Fortinet FortiOS

Background

This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs).

BD communicates with our customers about cybersecurity vulnerabilities to help healthcare providers manage potential risks through awareness and guidance.

BD is aware of and currently monitoring a vulnerability affecting all versions of Fortinet FortiOS products in use by BD. This third-party vulnerability is not specific to BD or our products. Additionally, we have not received any reports of this vulnerability being exploited on BD products. BD is providing this update to let customers know which BD products could be affected by the following third-party Fortinet vulnerability:

  • CVE-2022-40684 - An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Products that utilize impacted versions of FortiOS

This notification applies to the following BD products:

  • BD Kiestra™ TLA/WCA
  • BD Kiestra™ TLA Track
  • BD Kiestra™ ReadA

 

Only those BD Kiestra™ products mentioned above that contain a System Control Unit (SCU) version 2.5 (released in 2022) are impacted. Earlier versions of the SCU are not impacted.

This list does not indicate the patch or device status. The list may be updated if more products are identified. Please check back periodically for updates.

Response

BD is currently working to test and validate the patch(es) or other mitigations for BD products that use the affected third-party component. Please refer to the Bulletins and Patches page for all approved product security patching notifications. BD recommends the following mitigations and compensating controls in order to help reduce risk associated with this vulnerability:

  • By design, the BD Kiestra™ products already have the compensating control in place for Limiting IP addresses that can reach the administrative interface. Please refer to Fortinet PSIRT Advisory FG-IR-22-377 for more information on this compensating control.
  • Monitor network intrusion for rogue http/https traffic and malicious packets.
  • This third-party vulnerability is expected to be remediated in the BD Kiestra™ products in the upcoming patch cycle.

Additional Resources

For product- or site-specific concerns, contact your BD service representative.