SQL Function Vulnerability for BD Kiestra TLA, BD Kiestra WCA, BD Kiestra InoquIA+

This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs). Severity - Medium

Oct 2, 2018


It applies to BD products in scope listed below. BD engages in proactive communication around cybersecurity issues that have the potential to either directly or indirectly impact our products. Vulnerability disclosure is an essential component of BD's culture of transparency to help ensure that customers have the necessary information to properly assess potential cybersecurity risk, even those caused by third-party software and/or operating systems.

BD is committed to providing safe and secure products to our customers given the important benefits they provide to patient health. We value the confidentiality, integrity and availability of all protected health and personally identifiable information (e.g. PHI, PII) in accordance with all applicable federal and state privacy and security laws, including the Health Insurance Portability and Accountability Act.

This notification provides product security information and recommendations related to a product security vulnerability found in the following BD Kiestra Systems: BD Kiestra TLA, BD Kiestra WCA and BD InoqulA+ specimen processor. The contents of this notification will be disclosed publicly on the BD Product Security website (www.bd.com/productsecurity) and is voluntarily reported by BD with Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the National Health Information Sharing and Analysis Center (NH-ISAC) to optimally reach past and present customers.

--------- Begin Update B: October 2, 2018 ---------

This updated advisory provides a confirmation of mitigations to the original advisory titled Product security bulletin for BD Kiestra TLA, BD Kiestra WCA, BD InoqulA that was originally published May 22, 2018.

Mitigations & Compensating Controls

BD has developed and deployed a mitigation that prevents authorized users with access to a privileged account on a BD Kiestra system to trigger SQL functions. This mitigation also remediates a limited set of ePHI patient data that can be exposed when a privileged user executes a select SQL statement in the ReadA Overview. BD is in the process of deploying the mitigation remotely or on premise, depending on customer preference.

  • When configuring new programs through the 'Configuring Programs' function in Database (BD) Manager version 3.0.1.0, the export-import function will no longer prompt the user with a pop-up window to enter SQL statements.
  • ReadA Overview, version 1.1.0.2 and previous versions, will no longer prompt the user with a pop-up window to enter SQL statements.
  • PerformA, version 3.0.0.0 and previous versions, will no longer allow BD personnel to execute SQL statements because permissions have been changed to read only.

Customers should ensure access to BD Kiestra Systems are closely monitored while continuing to implement best security practices to effectively prevent unauthorized access to BD Kiestra Systems.

For product support or site-specific concerns, please contact your regional customer service representative. North America customers may contact Lab Automation Regional Phone Support via email lab_automation_phone_support@bd.com or by phone 1-800-638-8663. EMEA customers may contact Customer Service Desk via email csd@bd.com or via phone +31 512 540 623.

--------- End Update B: October 2, 2018 ---------

Affected Products

This notification applies to the following BD Kiestra systems:

  • BD Kiestra TLA
  • BD Kiestra WCA
  • BD InoqulA+ specimen processor

All three BD Kiestra systems listed above use the following vulnerable applications:

  • Database (DB) Manager, version 3.0.1.0 The DB Manager is a tool used by customers to populate the BD Kiestra database with customer specific data.
  • ReadA Overview, version 1.1.0.2 and previous versions The ReadA Overview is a supporting application to monitor the BD Kiestra system used by both BD authorized service personnel and local authorized users with access to a privileged account on the BD Kiestra system. It displays sample information and allows carrier tracking and tracing.
  • PerformA, version 3.0.0.0 and previous versions PerformA is a supporting application running in the background used by BD authorized service personnel only. It's used to monitor the BD Kiestra system's configuration settings, such as CPU usage, hard disk space, database properties, database backups and archiving processes.

In March 2018, BD internally identified and confirmed a vulnerability that allows authorized users with access to a privileged account on a BD Kiestra system to trigger SQL functions.

Additionally, the following limited set of ePHI patient data may be exposed when a privileged user executes a select SQL statement in the ReadA Overview. Data that can be exposed includes:

  • BD Kiestra Lab technicians' user name
  • Three optional fields, if customers have chosen to enter sensitive information in these fields through their Laboratory Information System

The following data fields are only populated if the BD Kiestra™ Urine Culture Application (UCA) is installed:

  • Patient data, which includes:
    • Gender
    • Age
    • Diagnosis
    • Treatment
    • Location: ward, room, bed
    • Sample ID

As of this posting, there have been no complaints or reports from customers that this vulnerability has been exploited.

Clinical Risk Assessment and Patient Safety Impact

This vulnerability has been assessed for patient safety by BD and represents a controlled risk with low probability of harm to the patient directly. If this particular functionality were to be exposed due to misuse or malicious abuse, this could lead to a loss of data or corruption of data. This could potentially cause a delay in test results being reported to the clinician, which could lead to a delay in diagnosis and/or treatment.

Risk Summary

BD has conducted internal risk assessments for the vulnerable applications and collaborated with the U.S. Department of Homeland Security (DHS) and Food and Drug Administration (FDA) to review baseline Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within your own organization.

DB Manager, version 3.0.1.0
PerformA, version 3.0.0.0 and previous versions 

5.6 Medium CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H
Note: PerformA is used by BD authorized service personnel only

Adjacent access is required to exploit this vulnerability. Attack complexity is high based on needing access to a privileged account on a BD Kiestra system. Only users with higher level access privileges have access to the vulnerable function. A user interface is necessary to carry out an attack. The scope is unchanged as executing a SQL attack would only affect the local system. Confidentiality is not at risk because SQL select statements will not return values nor are they visible through a user interface. 

Authorized users with privileged access could affect the integrity of data and availability of the system. If successful, a privileged user may gain access to the Database Management functionally which grants full administrative control of data stored in the database. This vulnerability cannot be exploited remotely. You must have physical access to the sub-network shared by the BD Kiestra system.

ReadA Overview, version 1.1.0.2 and previous versions 
6.3 Medium CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Adjacent access is required to exploit this vulnerability. Attack complexity is high based on having access to a privileged account on a BD Kiestra system. Only users with higher level access privileges have access to the vulnerable function. A user interface is necessary to carry out this attack. The scope is unchanged as executing a SQL attack would only affect the local system. 

Authorized users with privileged access could affect the confidentiality, integrity of data and availability of the BD Kiestra systems. If successful, a privileged user may gain access to the Database Management functionally which grants full control of data stored in database. This vulnerability cannot be exploited remotely. You must have physical access to the sub-network shared by the BD Kiestra system.

Mitigations & Compensating Controls

BD intends to implement necessary mitigation controls by July 2018. This mitigation will include removing the functionality to trigger SQL functions in DB Manager, PerformA and ReadA. 

Until mitigations are put in place, BD recommends the following compensating controls. These controls require customer action in order to reduce risk associated with this vulnerability:

  • BD Kiestra Laboratory personnel should refrain from using the functionality associated SQL functions in all three BD Kiestra Systems: BD Kiestra TLA, BD Kiestra WCA and BD InoqulA+ specimen processor.
  • DB Manager:
    • When configuring new programs through the 'Configuring Programs' function in DB Manager, it is advised not to re-use current programs through the export-import function but to setup a new program or use the predefined program templates. Please refer to the following manuals for more information:

BD Kiestra Total Laboratory Automation (TLA) System User's Manual. Page 193. Section: 26.3.11 Configuring Programs

BD Kiestra Work Cell Automation (WCA) System User's Manual. Page 191. Section: 25.3.11 Configuring Programs

BD Kiestra InoqulA+ system User's Manual. Page 109. Section: 13.3.11 Configuring Programs

    • Ensure only authorized and qualified personnel, such as lab managers and/or lab supervisors, have access control rights to all functions in the DB Manager. This can be configured through the 'Users' function in DB Manager. For details about setting the appropriate user access control in DB Manager, consult the respective device manual:

BD Kiestra Total Laboratory Automation (TLA) System User's Manual. Page 187. Section: 26.3.4 Configuring users

BD Kiestra Work Cell Automation (WCA) System User's Manual. Page 185. Section: 25.3.4 Configuring users

BD Kiestra InoqulA+ system User's Manual. Page 103. Section: 13.3.4 Configuring users

  • ReadA Overview: Customers are advised to set the ‘Users’ function for all users to ‘none’ for access to ReadA Overview, if the application is not used or not commonly used. This can be configured through the ‘Users’ function in DB Manager. If use of ReadA Overview is necessary then customers are advised to ensure only authorized and qualified personnel, such as lab managers and/or lab supervisors, have access control rights to all functions in ReadA Overview. This can be configured through the ‘Users’ function in DB Manager. For details about setting the appropriate user access control in DB Manager, consult the respective device manual:

BD Kiestra Total Laboratory Automation (TLA) System User's Manual. Page 187. Section: 26.3.4 Configuring users

BD Kiestra Work Cell Automation (WCA) System User's Manual. Page 185. Section: 25.3.4 Configuring users

BD Kiestra InoqulA+ system User's Manual. Page 103. Section: 13.3.4 Configuring users

  • PerformA: Customers are advised to ensure access to BD Kiestra servers are closely monitored while continuing to implement best security practices to effectively prevent unauthorized access to BD Kiestra Systems.

For product support or site-specific concerns, North America customers may contact Lab Automation Regional Phone Support via email  lab_automation_phone_support@bd.com or by phone 1-800-638-8663. EMEA customers may contact Customer Service Desk via email csd@bd.com or via phone +31 512 540 623.

You may also contact your regional customer service representative. 

For More Information

For more information on BD's proactive approach to product security and vulnerability management contact BD Product Security:

http://www.bd.com/productsecurity
May 2018 
Product Security Bulletin for BD Kiestra TLA, BD Kiestra  WCA and BD InoqulA+ specimen processor  

BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.  

BD Franklin Lakes, NJ 
07417 
United States 
 

bd.com 
© 2018 BD

Last BD Publication Update: 10/02/2018

Original BD Publication Date: 05/22/2018

This site uses cookies. If you click accept cookies then all cookies will be written. Please review our cookies policy and configure your cookies for your experience.