true
Bulletin and Patches

Third-party Vulnerability

Third-Party Vulnerability: Fortinet FortiOS - Buffer Underflow
May 31, 2023 Bulletins CRITICAL

Background

This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs). 

BD communicates with our customers about cybersecurity vulnerabilities to help healthcare providers manage potential risks through awareness and guidance. 

BD is aware of and currently monitoring a vulnerability affecting specific versions of Fortinet FortiOS products. This third-party vulnerability is not specific to BD or our products. Additionally, we have not received any reports of this vulnerability being exploited on BD products. BD is providing this update to let customers know which BD products could be affected by the following third-party Fortinet vulnerability:  

  • CVE-2023-25610 – A buffer underwrite ('buffer underflow') vulnerability in FortiOS, FortiProxy and FortiSwitchManager administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests.

Products that utilize impacted versions of Fortinet FortiOS

This notification applies to the following BD products

  • BD Kiestra™ TLA/WCA
  • BD Kiestra™ TLA Track
  • BD Kiestra™ ReadA

 

Only those BD Kiestra™ products mentioned above that contain a System Control Unit (SCU) version 2.5 (released in 2022) are impacted. Earlier versions of the SCU are not impacted. 

This list does not indicate the patch or device status. The list may be updated if more products are identified. Please check back periodically for updates. 

Response

By design, the BD Kiestra™ products already have the mitigation for this vulnerability in place: 

  • Limit IP addresses that can reach the administrative interface.

 

Please refer to Fortinet PSIRT Advisory FG-IR-23-001 for more information on this compensating control. 

Additionally, BD is monitoring the situation and will validate and release any patches when those become available from the vendor (Fortinet).  Please refer to the Bulletins and Patches page for all approved product security patch notifications. BD recommends the following mitigations and compensating controls to reduce risk associated with this vulnerability: 

  • Monitor network for rogue http/https traffic and malicious packets.

Additional Resources

For product- or site-specific concerns, contact your BD service representative

true