Becton, Dickinson and Company (BD) will have mitigations ready in July to fix a product UI does not warn user of unsafe actions vulnerabilities in its BD Kiestra and InoqulA systems, according to a report with NCCIC.
Successful exploitation of these vulnerabilities, which BD self-reported, may lead to loss or corruption of data.
BD reports these vulnerabilities, which are exploitable from an adjacent network, affect applications used by the following BD Kiestra systems:
• BD Kiestra TLA
• BD Kiestra WCA
• BD InoqulA+ specimen processor
All three BD Kiestra systems listed above use the following vulnerable applications:
• Database (DB) Manager, Version 184.108.40.206
• ReadA Overview, Version 220.127.116.11 and previous
• PerformA, Version 18.104.22.168 and previous versions
In one vulnerability, DB Manager and PerformA allow an authorized user with access to a privileged account on a BD Kiestra system to issue SQL commands, which may result in data corruption.
CVE-2018-10593 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.6.
In addition, a vulnerability in ReadA allows an authorized user with access to a privileged account on a BD Kiestra system to issue SQL commands, which may result in loss or corruption of data.
CVE-2018-10595 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.
The products see use mainly in the healthcare and public health sectors. They also see action on a global basis.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. High skill level is needed to exploit.
BD intends to implement necessary mitigation controls by July. This mitigation will include removing the functionality to trigger SQL functions in DB Manager, PerformA and ReadA.
Until mitigations are in place, BD recommends the following compensating controls. These controls require user action in order to reduce risk associated with these vulnerabilities:
• DB Manager:
— BD Kiestra Laboratory personnel should refrain from using the functionality associated SQL functions in all three BD Kiestra Systems: BD Kiestra TLA, BD Kiestra WCA and BD InoqulA+ specimen processor. When configuring new programs through the ‘Configuring Programs’ function in DB Manager, it is advised not to re-use current programs through the export-import function, but to set up a new program or use the predefined program templates. Please refer to the users manuals for more information.
— Ensure only authorized and qualified personnel, such as lab managers and/or lab supervisors, have access control rights to all functions in the DB Manager. This can be configured through the ‘Users’ function in DB Manager. For details about setting the appropriate user access control in DB Manager, consult the respective device manual.
• ReadA Overview: Users are advised to set the ‘Users’ function for all users to ‘none’ for access to ReadA Overview, if the application is not used or not commonly used. This can be configured through the ‘Users’ function in DB Manager. If use of ReadA Overview is necessary, users are advised to ensure only authorized and qualified personnel, such as lab managers and/or lab supervisors, have access control rights to all functions in ReadA Overview. This can be configured through the ‘Users’ function in DB Manager. For details about setting the appropriate user access control in DB Manager, consult the respective device manual.
• PerformA: Users are advised to ensure access to BD Kiestra servers are closely monitored while continuing to implement best security practices to effectively prevent unauthorized access to BD Kiestra Systems.
For product support or site-specific concerns, users in North America may contact Lab Automation Regional Phone Support via email or by phone (1-800-638-8663). Users in EMEA may contact Customer Service Desk via email or by phone (+31 512 540 623).
For more specific details regarding these vulnerabilities, the associated mitigations, and links to user manuals, click on the BD Product Security Bulletin.