Bulletins
CRITICAL
Last updated: December 29, 2022
Original Publication: September 17, 2021
This notification is voluntary shared by BD with Information Sharing and Analysis Organizations (ISAOs).
BD is aware of and currently monitoring a vulnerability in LibSSH library that can result in authentication bypass. This third-party vulnerability is not specific to BD or our products. BD is providing this update to let customers know which BD products could be affected by this third-party vulnerability.
- CVE-2018-10933 - A vulnerability was found in LibSSH's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.
BD has not received any reports of this vulnerability being exploited on BD products.
BEGIN UPDATE A: Dec 29, 2022
BD has released a Wi-Fi module patch to address this vulnerability, CVE-2018-10933.
- Customers can obtain a CD Image containing the Wi-Fi module patch through their local BD Global Customer Service representative. The part number is 1000SP02383.
BD recommends that customers apply the Wi-Fi module patch which updates the BD Alaris™ neXus pump Wi-Fi module. For assistance scheduling the remediation, customers should contact their BD Sales Representative.
Note: Ensure BD Alaris™ neXus GP Pump Software is at Version 5.1.1 before applying the Wi-Fi patch.
END UPDATE A: Dec 29, 2022
The product list below identifies existing BD products that utilize in-scope LibSSH. The list may be updated as more products are identified. In addition, this list does not indicate the patch or device status. Please check back periodically for updates.
The BD products listed below are in scope for CVE-2018-10933
- BD Alaris™ neXus GP pump v 5.0 & v 5.1 – Model: GPneXus1
- BD Alaris™ neXus CC syringe pumps v 5.0 – Models: CCneXus1 and CCneXus1-S
BEGIN UPDATE A: Dec 29, 2022
- BD Alaris™ neXus PK syringe pump v5.0.25 – Model: PKneXus1
END UPDATE A: Dec 29, 2022
To exploit this vulnerability, a threat actor would have to first access the facility's internal network and establish an SSH connection. They then would have to craft firmware compatible with the product and install it on the device, which would require administrator privileges, and then restart the device. Any such attack would only impact the integrity of the system as there are no data exfiltration avenues, nor any reasonable means to destroy data through this attack.
A successful exploitation of this vulnerability was concluded to be highly unlikely:
If an attacker were to alter the firmware on the Laird™ module, the only data that could be transferred to the pump would be a data set (drug library and pump configurations). Exploiting this vulnerability would not provide remote access for an attacker to perform any commands on the pump.
If an attacker were to change infusion parameters in the data set, the user would still be required to power cycle the pump for the changes to take effect, and then the user would still need to validate infusion parameters prior to the start of an infusion, which reduces the probability of a programming error occurring.
An attacker would only be able to compromise one device at a time. In the event of a successful attack, the user could exchange the affected device for a device not impacted.
Based on considerations from above, there is a low risk of any patient harm.
BD is currently working to test and validate the patch(es) for BD products that use the affected third-party component. Please refer to Bulletins and Patches for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using the above listed BD products that utilize affected LibSSH software:
- Firewall all wireless segments: Institute a firewall between patient-critical systems and the rest of the network. This will further restrict access from outside attackers and create of firewall rules to address threats much easier to implement.
- Ensure that the firewall restricts the critical port 2222.
- Active Network Monitoring: Review malicious activity on the wireless network segments where the pumps reside
- Strong Network Authentication Passwords: Use a strong password for wireless network authentication (i.e., 31 characters long, mixed mode with special characters and numbers).
- Nursing Education: Nurses should be instructed to ignore drug library updates unless directed to implement by hospital internal resources. Unplanned drug library events without prior notification may not be valid.
For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.