BD Updates Hard-Coded Password Issue

Friday, March 24, 2017 @ 03:03 PM gHale


Becton, Dickinson and Company (BD) created compensating controls to reduce the risk of exploitation in a hard-coded password vulnerability in its Kiestra PerformA and KLA Journal Service applications that access the BD Kiestra Database, according to a report with ICS-CERT.

BD produced compensating controls to reduce the chance attackers could leverage the remotely exploitable vulnerability.

RELATED STORIES
LCDS Fixes Path Traversal Hole
Siemens Updates SIMATIC Fixes
Moxa Updates NPort Fix
Rockwell Fixes FactoryTalk Hole

The following BD products suffer from the issue:
• PerformA, Version 2.0.14.0 and prior versions
• KLA Journal Service, Version 1.0.51 and prior versions

Successful exploitation of the vulnerability may allow an attacker to gain access to limited Protected Health Information (PHI)/Personally Identifiable Information (PII) information stored in the BD Kiestra Database.

BD is a U.S.-based company that maintains offices in multiple countries around the world.

BD’s PerformA and KLA Journal Service applications see use with the BD Kiestra Database used in BD’s Kiestra TLA (Total Lab Automation), Kiestra WCA (Work Cell Lab Automation), and Kiestra InoqulA+ systems. The BD PerformA application works for system monitoring and the BD KLA Journal application sees action for incremental backups. BD’s Kiestra TLA and Kiestra WCA are lab automation systems. Kiestra InoqulA+ is a standalone lab automation system. According to BD, these products deployed across the Healthcare and Public Health Sector and they end up used on a global basis.

BD’s PerformA and KLA Journal Service applications use hard-coded passwords to access the BD Kiestra Database, which could end up leveraged to compromise the confidentiality of limited PHI/PII information stored in the BD Kiestra Database.

CVE-2017-6022 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill level would be able to exploit this vulnerability.

BD has produced compensating controls to reduce the risk of exploitation of the hard-coded passwords vulnerability in the PerformA and KLA Journal Service applications by issuing product updates to the PerformA application, KLA Journal Service application, and the Kiestra Database. The product updates ensure each user will get a unique password.

The updated product versions should end up remotely updated between April 2017 and October 2017. The updated version numbers are as follows:
• PerformA application, Version 2.0.14.0
• KLA Journal Service application, Version 1.0.51
• Kiestra Database, Version 3.0.61

BD has also identified the following defensive measures that all users should apply to reduce the risk of exploitation of the identified vulnerability:
• Disable SMB1 protocol on the Database Server, File/Program Server, and Back-up Server if this is active
• Ensure Port 3050/TCP/IP is closed to incoming and outgoing connections (e.g. from Internet to internal hospital network)
• Close Port 3050/TCP/IP on the internal network for traffic other than BD Kiestra applications with the BD Kiestra database

For additional information, BD released a Product Security Bulletin.



Leave a Reply

You must be logged in to post a comment.