Background and Scope
BD is currently monitoring the Meltdown and Spectre vulnerabilities. While these vulnerabilities are hardware-based, they impact multiple operating systems. A flaw in computer processing units (CPU) could allow malicious software to gain access to other processes and data on any impacted computer or server, including cloud applications. These vulnerabilities are not exclusive to BD or medical devices. They potentially affect every computer and/or device with a CPU, specifically certain Intel™ chips, AMD™ and ARM processors.
As a result of these events, BD recommends the following for systems with a vulnerable CPU and an unpatched operating system with any form of network connectivity to minimize risk and impact:
- Ensure the following patches have been applied to your devices:
- Microsoft Advisory: Apply patches for ADV180002, updated January 2018.
- As part of our ongoing efforts to provide security, reliability and availability for your BD products, we test and approve applicable Microsoft patches that Microsoft identifies as being Critical or Security related. BD is expediting validation efforts for the Microsoft patches released for Meltdown and Spectre vulnerabilities. As part of this validation, BD will evaluate any system performance impact.
- Apply any applicable firmware update provided by your device manufacturer.
- Ensure your data has been backed up and stored according to your individual process and that your disaster recovery procedures are in place.
- Physical access should be limited to authorized individuals
- Update your malware protection, where available.
Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s). Software patches addressing Meltdown and Spectre may result in the slowdown of affected systems. When deploying any such software patches, be sure to prioritize and test updates as necessary to assess potential performance impact.
Note: Intel has released a statement noting these exploits do not have the potential to corrupt, modify or delete data.
Products in Scope
BD has assessed these vulnerabilities and identified the risk to have a low-impact. Any attack would require local or physical access, the difficulty in exploiting these vulnerabilities is high and the vulnerabilities do not have the potential to corrupt, modify, or delete data.
BD has provided a list of products in scope in order to better help our customers identify any BD products with a CPU that has the potential to be vulnerable to these threats. The list of BD products in scope is currently dynamic and will be updated as we complete analysis of products in scope.
For product or site-specific concerns, contact your BD service representative. We will update this communication as new information becomes available.
For procedures specific to your product, contact your BD service representative. If you observe symptoms of a ransomware attack, disconnect your system from the network and contact your BD service representative and/or BD Product Security at ProductSecurity@bd.com.
US-CERT Notice: Vulnerability Note VU#584653