BD is monitoring the developing situation with a recently disclosed set of vulnerabilities found in the WPA2 protocol affecting confidentiality, integrity, and availability of communication between a Wi-Fi access point and a Wi-Fi enabled client such as a computer, phone, Wi-Fi base stations, and other gear, even if the data is encrypted. This is NOT a BD-specific vulnerability, but could affect any Wi-Fi devices that use the WPA2 protocol.
The set of vulnerabilities disclosed have been called Key Reinstallation attACKs (KRACK), which if exploited can potentially affect all business industries including the healthcare industry. "KRACK" allows data traffic manipulation resulting in partial disclosure of encrypted communication or injection of data into it. However, for KRACK to be successfully exploited an attacker would have to be within physical range of an affected Wi-Fi access point and client.
Please note that a number of BD products utilize third-party vendor technologies, which create an interdependence between BD patch deployment processes and third-party vendors' patch releases. The following list shows BD products that may reside on wireless networks that could be vulnerable to KRACK:
There is currently no reported verified instance of the KRACK vulnerability being exploited maliciously against BD devices.
The following BD products were determined to have a CVSS rating of 0.0 (none) CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N during our internal evaluation.
KRACK can be exploited from an adjacent network. The attack complexity is high as it requires proximity to an affected Wi-Fi access point and significant technical skills. No privileges or user interaction is required to exploit this vulnerability. The scope is unchanged while confidentiality, integrity and availability are rated none as there is no impact due to implemented AES 128 bit encryption between Alaris PC Units and Systems Manager.
The following BD products were determined to have a CVSS rating of 6.8 (Medium) CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N during our internal evaluation.
KRACK can be exploited from an adjacent network however the attack complexity is high as it requires proximity to an affected Wi-Fi access point and significant technical skills. No privileges or user interaction is required to exploit this vulnerability. The scope is unchanged while both confidentiality and integrity are rated high as KRACK causes complete loss of control over unencrypted data. There is no availability impact.
Mitigations & Compensating Controls
Since data is encrypted using AES 128 bit encryption between Alaris PC Units and Systems Manager, no further mitigations were necessary for the following products.
BD has implemented third-party vendor patches through BD's routine patch deployment process. As a result, the following BD products have been patched against this vulnerability:
Due to the design and functionality of the products listed below, coordination with customers is necessary to properly deploy patches. BD is in the process of contacting customers to schedule and deploy patches.
Additionally, BD recommends the following compensating controls in order to reduce risk associated with this vulnerability:
--------- Begin Update C: June 7, 2018 ---------
This updated advisory is a follow-up to the original advisory titled Product Security Bulletin for WPA2 "KRACK" Wi-Fi Vulnerability that was originally published October 27, 2017 on the BD Product Security and Privacy web site. This advisory applies to BD product versions with regularly supported operating systems from Microsoft®. Please contact your BD Service representative if you have versions of Pyxis products that are end-of-life, end-of support, or are running unsupported, operating systems.
--------- End Update C: June 7, 2018 ---------
--------- Begin Update B: April 4, 2018 ---------
This updated advisory is a follow-up to the original advisory titled Product Security Bulletin for WPA2 "KRACK" Wi-Fi Vulnerability that was published October 27, 2017 on the BD Product Security and Privacy web site.
For product or site-specific concerns, contact your BD service representative.
For more information on BD's proactive approach to product security and vulnerability management, contact our Product Security Office: http://www.bd.com/productsecurity
April 2018
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.BD
Franklin Lakes, NJ
07417
United States
bd.com
© 2018 BD
--------- End Update B: April 4, 2018 ---------
Original Update: October 27, 2017
There is currently no reported verified instance of the KRACK vulnerability being exploited maliciously against medical devices; however, if KRACK is successfully exploited in healthcare facilities, it has been reported that affected hospital networks could experience patient record changes and/or exfiltration and major IT disruptions. In order to prevent such issues, remediating KRACK will require a series of actions to be taken by the IT Department in healthcare facilities and vendors on which BD depends.
BD recommends the following for Wi-Fi enabled networks and clients to minimize risk and impact:
Ensure the latest recommended updates from device manufacturers have been installed
Ensure appropriate physical controls are in place
Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures
Please note that a number of BD products utilize third-party vendor technologies, which create an interdependence between BD patch deployment processes and third-party vendors' patch releases. The following list shows BD products that may reside on wireless networks that could be vulnerable to KRACK:
For product or site-specific concerns, contact your BD service representative.
For additional technical details and indicators associated with this vulnerability, review US-CERT Vulnerability Note VU#228519