This vulnerability does not impact products within the United States.
BD is aware of and currently monitoring a vulnerability in LibSSH library that can result in authentication bypass. This third-party vulnerability is not specific to BD or our products. BD is providing this update to let customers know which BD products could be affected by this third-party vulnerability.
BD has not received any reports of this vulnerability being exploited on BD products.
The product list below identifies existing BD products that utilize in-scope LibSSH. The list may be updated as more products are identified. In addition, this list does not indicate the patch or device status. Please check back periodically for updates.
The BD products listed below are in scope for CVE-2018-10933
To exploit this vulnerability, a threat actor would have to first access the facility's internal network and establish an SSH connection. They then would have to craft firmware compatible with the product and install it on the device, which would require administrator privileges, and then restart the device. Any such attack would only impact the integrity of the system as there are no data exfiltration avenues, nor any reasonable means to destroy data through this attack.
BD Alaris™ neXus GP pump v 5.0 & v 5.1 - Model: GPneXus1
BD Alaris™ neXus CC syringe pumps v 5.0 - Models CCneXus1 and CCneXus1-S
A successful exploitation of this vulnerability was concluded to be highly unlikely:
Based on considerations from above, there is a low risk of any patient impact.
BD is currently working to test and validate the patch(es) for BD products that use the affected third-party component. Please refer to Bulletins and Patches for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using the above listed BD products that utilize affected LibSSH software:
For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.