This notification provides product security information and recommendations related to the third-party vulnerability found within the Linux Kernel v4.4.97 in the BD Alaris™ PC Unit 8015, which uses the Laird Wireless Network Module WB40N for wireless communication. BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC).
This vulnerability is not exclusive to BD or medical devices. BD is providing this update to educate customers on which BD products could be affected by this third-party vulnerability.
BD has not received any reports of this third-party vulnerability exploited on BD products
Remediation
BD has released the following BD Alaris™ PC Unit Software, which remediates CVE-2019-11479:
BD recommends that customers update to BD Alaris™ PCU version 12.3.1 software, where available, based on regulatory authorization. Customers that require software updates should contact their BD Account Executive to assist with scheduling the remediation.
This notification applies to customers that utilize the Laird Wireless Module WB40N for wireless connectivity. This vulnerability does not apply to customers who do not use the wireless capabilities or other approved wireless cards in the BD Alaris™ PCU Unit.
Versions of the BD Alaris™ PCU Unit that could utilize the Laird Wireless Module WB40N include 9.13, 9.19, 9.33, and 12.1.
CVE-2019-11479: Linux Kernel Low MSS Value Response Segmentation Resource Consumption Remote DoS
This vulnerability applies to the Linux Kernel v4.4.97 within the Laird Wireless Module WB40N, which the BD Alaris™ PC Unit utilizes for wireless communication. If exploited, this vulnerability could allow an unauthorized user to cause a denial of service attack on the target system and potentially cause the BD Alaris™ PC unit to disconnect from the facility’s network. The connected Alaris™ modules would continue to operate as programmed, while the BD Alaris™ PC unit automatically recovers and reconnects to the network. Wireless functionality operates independently from the pump system and a disruption in wireless connectivity would not affect pump module functionality. BD has received no reports of exploits related to BD products being impacted by this third-party vulnerability.
Based on the risk evaluation for this vulnerability, the potential risk is negligible. If exploited, this third-party vulnerability could lead to a drop in the wireless communication of the BD Alaris™ PC Unit. The Alaris™ PC Unit and attached modules would continue to function as programmed. Guardrails Safety Software would still be available; however, network-based services such as interoperability would not be available.
Exploiting this vulnerability would not provide administration access to the BD Alaris™ PC Unit or the BD Alaris™ Systems Manager. An unauthorized user would not be able to gain permissions or be able to perform remote commands for the BD Alaris™ PC Unit. If the wireless connection were dropped, the BD Alaris™ PC Unit and attached modules would continue to function as intended without a wireless connection.
BD has assessed the following vulnerability using the Common Vulnerability Scoring System (CVSS) version 3.0 (https://www.first.org/cvss/):
CVE-2019-11479: 5.3 (medium) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Rationale: Accessibility to the same network that the device is connected to, for example the local Wi-Fi, is a prerequisite for an attack to occur. Specialized access conditions and/or extenuating circumstances are not needed; therefore, the attack complexity is low. No user privileges or interaction are required to exploit this vulnerability. The scope of a potential attack remains unchanged and this vulnerability has no impact on the confidentiality and integrity of the system. This vulnerability could have a low impact on the availability of the customer network if a denial of service attack were successful.
While the Linux Kernel is a third-party component, BD products utilize it for connectivity. Therefore, we recommend the following mitigations and compensating controls to help our customers reduce the risks associated with this third-party vulnerability:
For product- or site-specific concerns, contact your BD service representative.