Last Updated: June 30, 2022
Original Publication: August 06, 2021
This third-party product security bulletin is not associated with recalls of BD products.
BD has assessed nine (9) new Domain Name System (DNS) vulnerabilities collectively referred to as WRECK. These vulnerabilities are not exclusive to BD or medical devices that use the impacted TCP/IP network stacks. If exploited, a successful compromise could allow remote unauthorized access, Denial of Service (DoS), or Remote Code Execution (RCE) that could lead to failure of critical device functions.
One (1) of the nine (9) vulnerabilities has the potential to impact BD products. BD is providing this update to let customers know which BD products could be affected by this series of third-party vulnerabilities.
There have been no reports of these vulnerabilities being exploited on BD products.
BD has released the following Alaris™ PC Unit software, which addresses CVE-2016-20009:
BD recommends that customers update to Alaris™ PC Unit versions 12.1.3, where available based on regulatory authorization. Customers who require software updates should contact their BD Sales Representative to assist with scheduling the remediation.
Nucleus13 is a group of vulnerabilities that was announced on November 9, 2021 and impacts devices that utilize the NucleusNet TCP/IP stack. The NucleusNet TCP/IP stack was also impacted by WRECK vulnerabilities. The BD products in scope for WRECK, BD Alaris™ PC Unit and BD FocalPoint™ Slide Profiler APPS Workstation, do not utilize the NucleusNET TCP/IP network stack and are not in scope for Nucleus13.
A successful attack may cause a System Error on the BD Alaris PC Unit, which may result in interruption or delay.
For this vulnerability to be exploited while the BD Alaris PC Unit is being used in patient care areas, a highly improbable sequence of events must occur. This vulnerability was identified in a testing environment with malicious intent and has never been reported to occur during the use of the Alaris PCU.
A successful attack on the BD FocalPoint Slide Profiler APPS Workstation may impact system availability (i.e., may cause system downtime, requiring a service visit). As cervical cytology slides can be evaluated manually when the system is unavailable, lack of system availability is not anticipated to introduce a significant delay in results reporting.
BD is currently working to remediate this vulnerability for BD products that use the affected third-party components. Please refer to the Bulletins and Patches page for all approved product security patching notifications. Additionally, BD recommends the following compensating controls for customers using BD products that utilize the affected software:
An additional compensating control is recommended for the BD Alaris™ PC Unit:
For product-or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.