true

Third-party Vulnerability

WRECK

Background

Last Updated: June 30, 2022

Original Publication: August 06, 2021

This third-party product security bulletin is not associated with recalls of BD products.

BD has assessed nine (9) new Domain Name System (DNS) vulnerabilities collectively referred to as WRECK. These vulnerabilities are not exclusive to BD or medical devices that use the impacted TCP/IP network stacks. If exploited, a successful compromise could allow remote unauthorized access, Denial of Service (DoS), or Remote Code Execution (RCE) that could lead to failure of critical device functions.

 

One (1) of the nine (9) vulnerabilities has the potential to impact BD products. BD is providing this update to let customers know which BD products could be affected by this series of third-party vulnerabilities.

There have been no reports of these vulnerabilities being exploited on BD products.

Begin Update B: June 30, 2022

Remediation

BD has released the following Alaris™ PC Unit software, which addresses CVE-2016-20009:

  • Alaris™ PC Unit Software Version 12.1.3

BD recommends that customers update to Alaris™ PC Unit versions 12.1.3, where available based on regulatory authorization. Customers who require software updates should contact their BD Sales Representative to assist with scheduling the remediation.

End Update B: June 30, 2022

Begin Update A: November 9, 2021

Nucleus13 is a group of vulnerabilities that was announced on November 9, 2021 and impacts devices that utilize the NucleusNet TCP/IP stack. The NucleusNet TCP/IP stack was also impacted by WRECK vulnerabilities. The BD products in scope for WRECK, BD Alaris™ PC Unit and BD FocalPoint™ Slide Profiler APPS Workstation, do not utilize the NucleusNET TCP/IP network stack and are not in scope for Nucleus13.

End Update A: November 9, 2021

Scope

  • Interpeak IPnet standalone TCP/IP networking stack
 
  • BD Products that Utilize Interpeak IPnet Standalone TCP/IP Networking Stack
 
  • The product list below identifies existing BD products that utilize Interpeak IPnet standalone TCP/IP networking stack. The list may be updated as more products are identified. Please check back periodically for updates and security patch notifications.
 
  • BD Alaris™ PC Unit (BD Alaris PCU)
 
  • BD FocalPoint™ Slide Profiler APPS Workstation (instrument only) (BD FocalPoint)

Clinical Risk Assessment and Patient Safety Impact

A successful attack may cause a System Error on the BD Alaris PC Unit, which may result in interruption or delay.

  • Interruption: When the System Error occurs, the BD Alaris PC Unit remains on, presents audio and visual alarms, and displays an error code on the main screen. Modules that are infusing at the time of the alarm will continue to infuse, however titration of medication is not possible. The clinical user may decide to stop the infusions while attempting to clear the visible and audible alarms by power cycling the BD Alaris PC Unit or exchanging the system, which would result in an interruption of infusion. A power cycle (turning the BD Alaris PC Unit off and on) will allow the clinician to reprogram and restart the infusion.
 
  • Delay: System Error can result in a delay of an infusion due to lack of communication of BD Alaris PC Unit with the infusion module.

 

For this vulnerability to be exploited while the BD Alaris PC Unit is being used in patient care areas, a highly improbable sequence of events must occur. This vulnerability was identified in a testing environment with malicious intent and has never been reported to occur during the use of the Alaris PCU.

A successful attack on the BD FocalPoint Slide Profiler APPS Workstation may impact system availability (i.e., may cause system downtime, requiring a service visit). As cervical cytology slides can be evaluated manually when the system is unavailable, lack of system availability is not anticipated to introduce a significant delay in results reporting.

Response

Mitigations and Compensating Controls

BD is currently working to remediate this vulnerability for BD products that use the affected third-party components. Please refer to the Bulletins and Patches page for all approved product security patching notifications. Additionally, BD recommends the following compensating controls for customers using BD products that utilize the affected software:

  • Configure SSID settings for the pump wireless network with fixed internal DNS entries
  • Employ access control lists for valid devices only
  • Enforce network segmentation controls and proper network hygiene measures such as restricting external communication paths and isolating or containing vulnerable devices in zones accessible by authorized users
  • Monitor network intrusion for rogue traffic and malicious packets

 

An additional compensating control is recommended for the BD Alaris™ PC Unit:

  • BD recommends facilities consider configuring pumps with the static IP address of the Systems Manager instead of using the DNS service

Additional Resources

For product-or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.