Becton, Dickinson and Company (BD) implemented third-party vendor patches to fix a reusing a nonce vulnerability in certain BD Pyxis products, according to a report with ICS-CERT.
Successful exploitation of this vulnerability could allow data traffic manipulation, resulting in partial disclosure of encrypted communication or injection of data.
The following versions of BD Pyxis products, a medication and supply management system, suffer from the vulnerability:
• BD Pyxis Anesthesia ES
• BD Pyxis Anesthesia System 4000
• BD Pyxis Anesthesia System 3500
• BD Pyxis MedStation 4000 T2
• BD Pyxis MedStation ES
• BD Pyxis SupplyStation
• BD Pyxis Supply Roller
• BD Pyxis ParAssist System
• BD Pyxis PARx
• BD Pyxis CIISafe – Workstation
• BD Pyxis StockStation System
• BD Pyxis Parx handheld
An industry-wide vulnerability exists in the WPA and WPA2 protocol affected by the Key Reinstallation Attacks known as KRACK. The four-way hand shake traffic in the Wi-Fi Protected Access WPA and WPA2 protocol can be manipulated to allow nonce reuse resulting in key reinstallation. This could allow an attacker to execute a “man-in-the-middle” attack, enabling the attacker within radio range to replay, decrypt, or spoof frames.
Mathy Vanhoef of imec-DistriNet, KU Leuven discovered the KRACK vulnerabilities. BD reported to NCCIC the KRACK vulnerabilities may affect these products.
The following CVEs have been assigned to this group of vulnerabilities:
CVE-2017-13077: Reinstallation of the pairwise key during the four-way handshake.
CVE-2017-13078: Reinstallation of the group key during the four-way handshake.
CVE-2017-13079: Reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake.
CVE-2017-13080: Reinstallation of the group key during the group key handshake.
CVE-2017-13081: Reinstallation of the IGTK during the group key handshake.
CVE-2017-13082: Reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the fast BSS transmission (FT) handshake.
CVE-2017-13086: Reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake.
CVE-2017-13087: Reinstallation of the Group Temporal Key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: Reinstallation of the IGTK when processing a WNM Sleep Mode Response frame.
A CVSS v3 base score of 6.8 has been calculated.
The product sees use mainly in the healthcare and public health sectors. And it sees action on a global basis.
These vulnerabilities have been publicly disclosed. These vulnerabilities are exploitable from an adjacent network. High skill level is needed to exploit.
BD has implemented third-party vendor patches through BD’s routine patch deployment process that resolves these vulnerabilities for most devices. Some devices require coordination with BD. BD is in the process of contacting users to schedule and deploy patches. There is currently no reported verified instance of the KRACK vulnerability being exploited maliciously against BD devices.
Additionally, BD recommends the following compensating controls in order to reduce risk associated with this vulnerability:
• Ensure the latest recommended updates for Wi-Fi access points have been implemented in Wi-Fi enabled networks
• Ensure appropriate physical controls are in place to prevent attackers from being within physical range of an affected Wi-Fi access point and client
• Ensure data has been backed up and stored according to individual processes and disaster recovery procedures
BD published a product security bulletin to notify users about this issue and to provide additional mitigation counsel.