November 11, 2014
External statement on SSL 3.0 protocol vulnerability and the POODLE attack
The U.S. Computer Emergency Readiness Team (US-CERT), a division of the U.S. Department of Homeland Security (DHS), recently released a security advisory that all systems and applications using Secure Sockets Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable to an attack. It advised that the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios. The Google security team that discovered this vulnerability in September 2014 has stated that they do not consider the POODLE attack to be as serious as the Heartbleed or Shellshock attacks.
BD is following the recommendation from US-CERT to disable SSL 3.0 on our hosted web service solutions. This will only affect customers who use outdated web browsers, such as Internet Explorer (IE) 6.0 or older. However, BD previously communicated with customers that the company will no longer support IE 6.0 as of October 1, 2014, so we expect minimal impact to customers.
For any customer using IE, BD recommends following the suggested actions in the Microsoft® advisory instructions or using an alternate web browser that supports the Transport Layer Security (TLS) protocol.
To change the default protocol version to be used for HTTPS requests, Microsoft recommends:
- On the IE Tools menu, click Internet Options.
- In the Internet Options dialog box, click the Advanced tab.
- In the Security category, uncheck Use SSL 3.0 and check Use TLS 1.0, Use TLS 1.1 and Use TLS 1.2(if available).
- Click OK.
- Exit and restart.
For any customer using Google Chrome or Mozilla Firefox, BD recommends following the suggested actions in Disabling Browser Support for the SSL 3.0 Protocol.
After BD disabled SSL 3.0 on our systems, we can confirm that these customer-facing hosted web service solutions are secure from the SSL 3.0 and POODLE attack vulnerability:
- Axeda and Bomgar Remote Support Services (RSS) and access platforms for Alaris™ and Pyxis™ technologies
- BD Customer Portal, available for Pyxis technologies customers at cp.carefusion.com
- Knowledge Portal analytics solutions for infusion technologies, Pyxis medication and supply technologies, and ventilator therapy
- External Identity Manager (EIM), at eim.carefusion.com
- MedMined™ Surveillance Advisor
- Respiratory diagnostics eStore, at store.carefusion.com/respiratorydiagnostics
- The supplier and distributor communication portal, at vision.carefusion.com
- Teamviewer RSS for ventilation technologies
- V. Mueller™ online catalog, at vision.carefusion.com