ESB-2018.1561 - [Appliance] BD Kiestra TLA, BD Kiestra WCA, and BD InoqulA+ specimen processor: Increased privileges - Existing account 2018-05-23

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1561
         Advisory (ICSMA-18-142-01) BD Kiestra and InoquIA Systems
                                23 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BD Kiestra TLA
                   BD Kiestra WCA
                   BD InoqulA+ specimen processor
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Mitigation
CVE Names:         CVE-2018-10595 CVE-2018-10593 

Original Bulletin: 
   https://ics-cert.us-cert.gov/advisories/ICSMA-18-142-01

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSMA-18-142-01) BD Kiestra and InoquIA Systems

Original release date: May 22, 2018

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security 
(DHS) does not provide any warranties of any kind regarding any information 
contained within. DHS does not endorse any commercial product or service, 
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For 
more information about TLP, see http://www.us-cert.gov/tlp/.

1. EXECUTIVE SUMMARY

    CVSS v3 6.3
    ATTENTION: Exploitable from adjacent network
    Vendor: Becton, Dickinson and Company (BD)
    Equipment: BD Kiestra and InoqulA systems
    Vulnerabilities: Product UI does not Warn User of Unsafe Actions

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may lead to loss or 
corruption of data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

BD reports these vulnerabilities affect applications used by the following BD
Kiestra systems:

    BD Kiestra TLA,
    BD Kiestra WCA, and
    BD InoqulA+ specimen processor.

All three BD Kiestra systems listed above use the following vulnerable 
applications:

    Database (DB) Manager, Version 3.0.1.0,
    ReadA Overview, Version 1.1.0.2 and previous, and
    PerformA, Version 3.0.0.0 and previous versions.

3.2 VULNERABILITY OVERVIEW

3.2.1 PRODUCT UI DOES NOT WARN USER OF UNSAFE ACTIONS CWE-356

A vulnerability in DB Manager and PerformA allows an authorized user with 
access to a privileged account on a BD Kiestra system to issue SQL commands, 
which may result in data corruption.

CVE-2018-10593 has been assigned to this vulnerability. A CVSS v3 base score 
of 5.6 has been calculated; the CVSS vector string is 
(AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H).

3.3.2 PRODUCT UI DOES NOT WARN USER OF UNSAFE ACTIONS CWE-356

A vulnerability in ReadA allows an authorized user with access to a privileged
account on a BD Kiestra system to issue SQL commands, which may result in loss
or corruption of data.

CVE-2018-10595 has been assigned to this vulnerability. A CVSS v3 base score 
of 6.3 has been calculated; the CVSS vector string is 
(AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

    Critical Infrastructure Sectors: Healthcare and Public Health
    Countries/Areas Deployed: Worldwide
    Company Headquarters Location: United States

3.4 RESEARCHER

BD discovered these vulnerabilities and reported them to NCCIC.

4. MITIGATIONS

BD intends to implement necessary mitigation controls by July 2018. This 
mitigation will include removing the functionality to trigger SQL functions in
DB Manager, PerformA and ReadA. Until mitigations are in place, BD recommends
the following compensating controls. These controls require user action in 
order to reduce risk associated with these vulnerabilities:

DB Manager: BD Kiestra Laboratory personnel should refrain from using the
functionality associated SQL functions in all three BD Kiestra Systems: BD 
Kiestra TLA, BD Kiestra WCA and BD InoqulA+ specimen processor. When 
configuring new programs through the Configuring Programs function in DB 
Manager, it is advised not to re-use current programs through the 
export-import function, but to set up a new program or use the predefined 
program templates. Please refer to the users manuals for more information. 
Ensure only authorized and qualified personnel, such as lab managers and/or 
lab supervisors, have access control rights to all functions in the DB 
Manager. This can be configured through the Users function in DB Manager. For
details about setting the appropriate user access control in DB Manager, 
consult the respective device manual.

ReadA Overview: Users are advised to set the Users function for all users
to none for access to ReadA Overview, if the application is not used or not 
commonly used. This can be configured through the Users function in DB 
Manager. If use of ReadA Overview is necessary, users are advised to ensure 
only authorized and qualified personnel, such as lab managers and/or lab 
supervisors, have access control rights to all functions in ReadA Overview. 
This can be configured through the Users function in DB Manager. For details 
about setting the appropriate user access control in DB Manager, consult the 
respective device manual. PerformA: Users are advised to ensure access to BD 
Kiestra servers are closely monitored while continuing to implement best 
security practices to effectively prevent unauthorized access to BD Kiestra 
Systems.

For product support or site-specific concerns, users in North America may 
contact Lab Automation Regional Phone Support via email 
lab_automation_phone_support@bd.com or by phone (1-800-638-8663). Users in 
EMEA may contact Customer Service Desk via email csd@bd.com or by phone (+31 
512 540 623).

For more specific details regarding these vulnerabilities, the associated 
mitigations, and links to user manuals, please see the BD Product Security 
Bulletin at the following location:

https://www.bd.com/en-us/support/product-security-and-privacy

NCCIC recommends users take defensive measures to minimize the risk of 
exploitation of these vulnerabilities. Specifically, users should:

 o Minimize network exposure for all control system devices and/or systems, 
and ensure that they are not accessible from the Internet.

 o Locate control system networks and remote devices behind firewalls, and 
isolate them from the business network.

 o When remote access is required, use secure methods, such as Virtual 
Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and 
should be updated to the most current version available. Also recognize that 
VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk 
assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended 
practices on the ICS-CERT web page. Several recommended practices are 
available for reading and download, including Improving Industrial Control 
Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly 
available on the ICS-CERT website in the Technical Information Paper, 
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation 
Strategies.

Organizations observing any suspected malicious activity should follow their 
established internal procedures and report their findings to NCCIC for 
tracking and correlation against other incidents.

NCCIC also recommends that users take the following measures to protect 
themselves from social engineering attacks:

 o Do not click web links or open unsolicited attachments in email messages.

 o Refer to Recognizing and Avoiding Email Scams for more information on 
avoiding email scams.

 o Refer to Avoiding Social Engineering and Phishing Attacks for more 
information on social engineering attacks.

No known public exploits specifically target these vulnerabilities. These 
vulnerabilities are not exploitable remotely. High skill level is needed to 
exploit.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWwTOaox+lLeg9Ub1AQh/WhAAj5Wzi1nnCyy9z++bzulppZeTbAhReQBB
PJB2uI2D26rCg4HlVkugYHpmZtdASHd8wQTNJLfEnYWqyfTPIkEIdej22nqZErSd
LLwcz9vrbkGOrCem1hfKJSns4rZK9p2iXCg4GIJHa5kViuK+DyKM+jqz9vhE8Gp5
iOLEApt67um/jhFbmB8sXOAiQBG9pSVAGks6uj31y+IDr3b+oAQZDFAfCzVdEFS8
XuTbGYS+OQL4vkSX3geBeHSDjAbRpa142AqO+iqMIcJazORAgs1vr6K4BNYE1PP7
9jJ1S149SgjMRiUFf4pNKRvGvPGpQNdU11HWQsQGxcNfBZEicZuKiq8ukQYTpmun
pae8AL43eemZpSdLv1HZrBPqy2efGuzRc23UenGf3CqJUdFhIiWMnheEgl7cJx3Z
K4xJVsHOez76Z4grmjiU3M72HKiZ5WAXWNZyb3BgxCTogMXBfHKzZJsSLKPAXe9z
k2RplPwXiSRjiYSEx0wTzDwS3ffDzdiSisfRGG7cnUkfG5zzjoNtHN2NCXaalY3G
BDEF5OVbfPHt/RghN0jcmxVxduTQ+VtrXfAnH9xfwQ2wha8D1VN11Js1UjPvhm4r
huQP3fyCq4JHdvIBz5qzrgMgxHyQgRIWIrMFuozN9FqZs4Jjfrqm5/Ca7adlWvuz
pu2ycPNM0l0=
=2o9c
-----END PGP SIGNATURE-----

« Back to bulletins