OTPulse

BD Kiestra and InoquIA Systems (Update A)

MonitorCVSS 6.3ICS-CERT ICSMA-18-142-01May 22, 2018
Attack path
Attack VectorAdjacent
Auth RequiredHigh
ComplexityHigh
User InteractionRequired
Summary

SQL injection vulnerabilities in BD Kiestra TLA WCA InoqulA+ specimen processor components (PerformA, ReadA Overview, Database Manager) allow authorized users with privileged accounts to execute arbitrary SQL commands. Successful exploitation can lead to loss, corruption, or unauthorized access to patient specimen data and protected health information. Affected versions: Database Manager 3.0.1.0, PerformA ≤3.0.0.0, ReadA Overview ≤1.1.0.2. BD has developed a mitigation to restrict SQL function execution by privileged users and is deploying it remotely or on-premise.

What this means
What could happen
An authorized user with administrative privileges on a BD Kiestra laboratory system could execute SQL commands to corrupt or steal patient data, including exposure of protected health information (ePHI) stored in the database.
Who's at risk
Laboratory information systems and specimen processing workflows in hospitals, clinical labs, and reference labs using BD Kiestra automated specimen processing systems. Impact includes loss of data integrity and confidentiality of patient specimen and health information.
How it could be exploited
An attacker with valid administrative credentials to the BD Kiestra system could access the ReadA Overview or Database Manager component and execute arbitrary SQL statements to read, modify, or delete patient specimen data and associated records. This requires prior compromise or theft of privileged account credentials.
Prerequisites
  • Valid administrative/privileged account credentials for the BD Kiestra system
  • Network access to the affected BD Kiestra component interface
  • User interaction or ability to log in to the system
Requires valid administrative credentialsHigh complexity attack requiring insider knowledge or credential compromisePotential exposure of protected health information (ePHI)No vendor patch currently availableAffects healthcare/clinical data systems
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (6)
6 EOL
ProductAffected VersionsFix Status
BD Kiestra TLA WCA InoqulA+ speciman processor - PerformA:≤ 3.0.0.0No fix (EOL)
PerformA:≤ 3.0.0.0No fix (EOL)
BD Kiestra TLA WCA InoqulA+ speciman processor - ReadA Overview:≤ 1.1.0.2No fix (EOL)
ReadA Overview:≤ 1.1.0.2No fix (EOL)
Database (DB) Manager:3.0.1.0No fix (EOL)
BD Kiestra TLA WCA InoqulA+ speciman processor - Database (DB) Manager:3.0.1.0No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGRestrict database administrative account access to only necessary personnel; audit and disable unused privileged accounts
HARDENINGEnable audit logging for all SQL queries and administrative actions on the BD Kiestra database; review logs regularly for unauthorized access attempts
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact BD to apply the available mitigation (being deployed remotely or on-premise) that restricts SQL function execution by privileged users
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: BD Kiestra TLA WCA InoqulA+ speciman processor - PerformA:, PerformA:, BD Kiestra TLA WCA InoqulA+ speciman processor - ReadA Overview:, ReadA Overview:, Database (DB) Manager:, BD Kiestra TLA WCA InoqulA+ speciman processor - Database (DB) Manager:. Apply the following compensating controls:
HARDENINGImplement network segmentation to limit direct access to the BD Kiestra system to authorized laboratory staff only; restrict remote access if possible
View full CISA ICS-CERT advisory
API: /api/v1/advisories/1c744462-845c-41c3-ae0d-f33c6de7d031

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.