Meltdown and Spectre Update II

Mar 23, 2018


Background and Scope


BD is currently monitoring the Meltdown and Spectre vulnerabilities. While these vulnerabilities are hardware-based, they impact multiple operating systems. A flaw in computer processing units (CPU) could allow malicious software to gain access to other processes and data on any impacted computer or server, including cloud applications. These vulnerabilities are not exclusive to BD or medical devices. They potentially affect every computer and/or device with a CPU, specifically certain Intel chips, AMD and ARM processors.

Response

As a result of these events, BD recommends the following for systems with a vulnerable CPU and an unpatched operating system with any form of network connectivity to minimize risk and impact:

    • Ensure the following patches have been applied to your devices:
      • Microsoft Advisory: Apply patches for ADV180002, updated January 2018.
      • As part of our ongoing efforts to provide security, reliability and availability for your BD products, we test and approve applicable Microsoft patches that Microsoft identifies as being Critical or Security related. BD is expediting validation efforts for these Microsoft patches and is expected to release these patches to impacted devices as part of the next impacted product’s release cycle. As part of this validation, BD will evaluate any system performance impact.
    • Apply any applicable firmware update provided by your device manufacturer
    • Ensure your data has been backed up and stored according to your individual process and that your disaster recovery procedures are in place
    • Physical access should be limited to authorized individuals
    • Update your malware protection, where available

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s). Software patches addressing Meltdown and Spectre may result in the slowdown of affected systems. When deploying any such software patches, be sure to prioritize and test updates as necessary to assess potential performance impact.

For Vascular Access Devices, a Business Group of BD (formerly Bard Access Systems), updates to the operating system or firmware are currently being evaluated for potential performance impact.

Products in Scope

BD has assessed these vulnerabilities and identified the risk to have a low-impact. Any attack would require local or physical access, the difficulty in exploiting these vulnerabilities is high and the vulnerabilities do not have the potential to corrupt, modify, or delete data.

BD has provided a list of products in scope in order to better help our customers identify any BD products with a CPU that has the potential to be vulnerable to these threats. The list of BD products in scope is currently dynamic and will be updated as we complete analysis of products in scope. Additionally, BD has incorporated a list of Vascular Access Devices in scope.

Questions

For product or site-specific concerns, contact your BD service representative. We will update this communication as new information becomes available.

For procedures specific to your product, contact your BD service representative. If you observe symptoms of a ransomware attack, disconnect your system from the network and contact your BD service representative and/or BD Product Security at ProductSecurity@bd.com.

Additional Resources

https://meltdownattack.com/

US-CERT Notice: Vulnerability Note VU#584653

Intel responds to security research findings, noting these exploits do not have the potential to corrupt, modify or delete data.

This site uses cookies. If you click accept cookies then all cookies will be written. Please review our cookies policy and configure your cookies for your experience.