Product security bulletin for WPA2 "KRACK" Wi-Fi Vulnerability

Background

BD is monitoring the developing situation with a recently disclosed set of vulnerabilities found in the WPA2 protocol affecting confidentiality, integrity, and availability of communication between a Wi-Fi access point and a Wi-Fi enabled client such as a computer, phone, Wi-Fi base stations, and other gear, even if the data is encrypted. This is NOT a BD-specific vulnerability, but could affect any Wi-Fi devices that use the WPA2 protocol.

The set of vulnerabilities disclosed have been called Key Reinstallation attACKs (KRACK), which if exploited can potentially affect all business industries including the healthcare industry. "KRACK" allows data traffic manipulation resulting in partial disclosure of encrypted communication or injection of data into it. However, for KRACK to be successfully exploited an attacker would have to be within physical range of an affected Wi-Fi access point and client.

Response

--------- Begin Update B: April 4, 2018 ---------

This updated advisory is a follow-up to the original advisory titled Product Security Bulletin for WPA2 "KRACK" Wi-Fi Vulnerability that was published October 27, 2017 on the BD Product Security and Privacy web site.

Affected Products

Please note that a number of BD products utilize third-party vendor technologies, which create an interdependence between BD patch deployment processes and third-party vendors' patch releases. The following list shows BD products that may reside on wireless networks that could be vulnerable to KRACK:

  • BD Alaris™ PC Unit Model 8000
  • BD Alaris™ PC Unit Model 8015
  • BD Alaris™ Gateway Workstation
  • BD Pyxis™ Anesthesia ES
  • BD Pyxis™ Anesthesia System 4000
  • BD Pyxis™ Anesthesia System 3500
  • BD Pyxis™ MedStation 4000 T2
  • BD Pyxis™ MedStation ES
  • BD Pyxis™ SupplyStation
  • BD Pyxis™ Supply Roller
  • BD Pyxis™ ParAssist System
  • BD Pyxis™ PARx
  • BD Pyxis™ CIISafe – Workstation
  • BD Pyxis™ StockStation System
  • BD Pyxis™ Parx handheld

There is currently no reported verified instance of the KRACK vulnerability being exploited maliciously against BD devices.

Risk Summary & Mitigation

The following BD products were determined to have a CVSS rating of 0.0 (none) CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N during our internal evaluation.

  • BD Alaris™ PC Unit Model 8000
  • BD Alaris™ PC Unit Model 8015

KRACK can be exploited from an adjacent network. The attack complexity is high as it requires proximity to an affected Wi-Fi access point and significant technical skills. No privileges or user interaction is required to exploit this vulnerability. The scope is unchanged while confidentiality, integrity and availability are rated none as there is no impact due to implemented AES 128 bit encryption between Alaris PC Units and Systems Manager.

The following BD products were determined to have a CVSS rating of 6.8 (Medium) CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N during our internal evaluation.

  • BD Alaris™ Gateway Workstation
  • BD Pyxis™ Anesthesia ES
  • BD Pyxis™ Anesthesia System 4000
  • BD Pyxis™ Anesthesia System 3500
  • BD Pyxis™ MedStation 4000 T2
  • BD Pyxis™ MedStation ES
  • BD Pyxis™ SupplyStation
  • BD Pyxis™ Supply Roller
  • BD Pyxis™ ParAssist System
  • BD Pyxis™ PARx
  • BD Pyxis™ CIISafe – Workstation
  • BD Pyxis™ StockStation System
  • BD Pyxis™ Parx handheld

KRACK can be exploited from an adjacent network however the attack complexity is high as it requires proximity to an affected Wi-Fi access point and significant technical skills. No privileges or user interaction is required to exploit this vulnerability. The scope is unchanged while both confidentiality and integrity are rated high as KRACK causes complete loss of control over unencrypted data. There is no availability impact.

Mitigations & Compensating Controls

Since data is encrypted using AES 128 bit encryption between Alaris PC Units and Systems Manager, no further mitigations were necessary for the following products.

  • BD Alaris™ PC Unit Model 8000
  • BD Alaris™ PC Unit Model 8015

BD has implemented third-party vendor patches through BD's routine patch deployment process. As a result, the following BD products have been patched against this vulnerability:

  • BD Alaris™ Gateway Workstation
  • BD Pyxis™ Anesthesia ES
  • BD Pyxis™ Anesthesia System 4000
  • BD Pyxis™ Anesthesia System 3500
  • BD Pyxis™ MedStation 4000 T2
  • BD Pyxis™ MedStation ESv
  • BD Pyxis™ SupplyStation
  • BD Pyxis™ Supply Roller
  • BD Pyxis™ CIISafe – Workstation
  • BD Pyxis™ StockStation System

Due to the design and functionality of the products listed below, coordination with customers is necessary to properly deploy patches. BD is in the process of contacting customers to schedule and deploy patches.

  • BD Pyxis™ ParAssist System
  • BD Pyxis™ Parx
  • BD Pyxis™ Parx handheld

Additionally, BD recommends the following compensating controls in order to reduce risk associated with this vulnerability:

  • Ensure the latest recommended updates for Wi-Fi access points have been implemented in Wi-Fi enabled networks
  • Ensure appropriate physical controls are in place to prevent attackers from being within physical range of an affected Wi-Fi access point and client
  • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures

For More Information

For product or site-specific concerns, contact your BD service representative.

For more information on BD's proactive approach to product security and vulnerability management, contact our Product Security Office: http://www.bd.com/productsecurity

April 2018
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.BD

Franklin Lakes, NJ
07417
United States

bd.com
© 2018 BD

--------- End Update B: April 4, 2018 ---------

Original Update: October 27, 2017

There is currently no reported verified instance of the KRACK vulnerability being exploited maliciously against medical devices; however, if KRACK is successfully exploited in healthcare facilities, it has been reported that affected hospital networks could experience patient record changes and/or exfiltration and major IT disruptions. In order to prevent such issues, remediating KRACK will require a series of actions to be taken by the IT Department in healthcare facilities and vendors on which BD depends.

BD recommends the following for Wi-Fi enabled networks and clients to minimize risk and impact:

  • Ensure the latest recommended updates from device manufacturers have been installed
  • Ensure appropriate physical controls are in place
  • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures

Please note that a number of BD products utilize third-party vendor technologies, which create an interdependence between BD patch deployment processes and third-party vendors' patch releases. The following list shows BD products that may reside on wireless networks that could be vulnerable to KRACK:

  • Alaris 8000
  • Alaris 8015
  • Pyxis Anesthesia System ES
  • Pyxis Anesthesia System 4000
  • Pyxis Anesthesia System 3500 (Non DOD)
  • Pyxis MedStation ES
  • Pyxis SupplyStation
  • Pyxis Supply Roller
  • Pyxis ParAssist System
  • Pyxis PARx system
  • Pyxis StockStation system
  • Pyxis Specimen Collection Verification
  • Pyxis Infant Care Verification
  • Pyxis Medication Administration
  • Pyxis Nursing Data Collection
  • Pyxis Transfusion Verification

For product or site-specific concerns, contact your BD service representative.

For additional technical details and indicators associated with this vulnerability, review US-CERT Vulnerability Note VU#228519