Bulletins
CRITICAL
BD is aware of and is monitoring multiple vulnerabilities in third-party vendor BusyBox software. These vulnerabilities are not exclusive to BD nor to medical devices. BD is providing this update to educate customers on which BD products could be affected by these third-party vulnerabilities.
These third-party vulnerabilities, if exploited, may allow an unauthorized user with access to the customer’s wireless network to gain access to a customer’s wireless credentials or other sensitive information by sending a crafted Dynamic Host Configuration Protocol (DHCP) message.
This vulnerability was reported to BD by security vendor Palo Alto Networks. However, BD has not received any reports of these third-party vulnerabilities being exploited on BD products.
BEGIN UPDATE A: Oct 26, 2023
Remediation
BD has released the following BD Alaris™ PC Unit Software, which remediates CVE-2016-2148, CVE-2018-20679, and CVE-2019-5747:
- BD Alaris™ PC Unit Software Version 12.3.1
BD recommends that customers update to BD Alaris™ PCU version 12.3.1 software, where available, based on regulatory authorization. Customers who require software updates should contact their BD Account Executive to assist with scheduling the remediation.
Note: This update only applies to BD Alaris™ Infusion System, pictured below:
END UPDATE A: Oct 26, 2023
This notification applies to customers that utilize the BD Alaris™ PC Unit, Model 8015, and BD FocalPoint™ Slide Profiler APPS Workstation (versions 3.7.0 – 3.8.1)
Vulnerability Details
- CVE-2016-2148
- Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.
- Vendor assessed CVSS: 9.8 Critical CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVE-2018-1000517
- A Buffer Overflow vulnerability exists in Busybox wget function prior to BusyBox version 1.29.0 that can result in heap buffer overflow that may allow an attacker to execute arbitrary commands in the target system.
- Vendor assessed CVSS: 9.8 Critical CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVE-2018-20679
- An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes.
- Vendor assessed CVSS: 7.5 High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CVE-2019-5747
- An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679.
- Vendor assessed CVSS: 7.5 High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
The product lists below are available to customers to help identify existing BD products that utilize the affected BusyBox software components. The lists may be updated as more products are identified. Please check back periodically for updates and security patch notifications.
The BD products listed below are in scope for CVE-2016-2148, CVE-2018-20679, and CVE-2019-5747:
- BD Alaris™ PC Unit, Model 8015*
- BD FocalPoint™ Slide Profiler APPS Workstation (versions 3.7.0 – 3.8.1)
*Only applies to devices containing the 802.11 a/b/g/n Wireless Network Card on the back of the BD Alaris™ PC Unit, Model 8015.
The BD product listed below is in scope for CVE-2018-1000517:
- BD FocalPoint™ Slide Profiler APPS Workstation (versions 3.7.0 – 3.8.1)
*Only applies to devices containing the 802.11 a/b/g/n Wireless Network Card on the back of the BD Alaris™ PC Unit, Model 8015.
The BD product listed below is in scope for CVE-2018-1000517:
- BD FocalPoint™ Slide Profiler APPS Workstation (versions 3.7.0 – 3.8.1)
A clinical risk assessment and patient safety impact was not completed for BD Alaris™ PC Unit, Model 8015 because the vulnerability is limited to the wireless card (while the attack is in process) and neither the integrity nor availability of the pump is impacted by this vulnerability.
A successful attack on the BD FocalPoint™ Slide Profiler APPS Workstation may impact system availability (i.e., may cause system downtime, requiring a service visit). As cervical cytology slides can be evaluated manually when the system is unavailable, lack of system availability is not anticipated to introduce a significant delay in results reporting.
Mitigations and Compensating Controls
BD is currently working to remediate this vulnerability for BD products that use the affected third-party components. Please refer to the Bulletins and Patches page for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize the affected software:
- For both the BD Alaris™ PC Unit, Model 8015, and BD FocalPoint™ Slide Profiler APPS Workstation: Enforce segmentation controls and proper network hygiene measures, such as restricting external communication paths and isolating or containing vulnerable devices in zones, and
- For the BD Alaris™ PC Unit, Model 8015: Isolate BD Alaris™ pumps on a separate VLAN and monitor traffic for the modified DHCP packets and potential rogue DHCP server on VLAN segment.
- For the BD Focal Point™ Slide Profiler APPS Workstation: Continue to use static IP addressing as configured by BD Service Representative. The FocalPoint Slide Profiler APPS Workstation is not impacted by the BusyBox vulnerabilities as configured by BD Service Representatives during installation in customer environments. Neither the DHCP service nor the wget command (CVE-2018-1000517) is configured to run while the system is in operation
For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.