Microsoft recently announced a spoofing vulnerability that exists in the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) digital authentication certificates. This third-party vulnerability that Microsoft corrected with its latest patch release is not specific to BD or our products. However, BD would like to ensure its customers that utilize Windows 10, Windows Server 2016 and Windows Server 2019 are aware of the recent patch update through Microsoft. If exploited, an attacker could cause a man-in-the middle attack and decrypt confidential information on the affected system.
In order to exploit this vulnerability, an attacker would have to use a spoofed digital authentication certificate and deliver executable code, which would appear to the user as a trusted provider. This vulnerability can be exploited remotely.
We have had no reports of this vulnerability being exploited on BD’s products.
Microsoft released a patch that addresses this vulnerability by ensuring that Windows CryptoAPI completely validates Elliptic Curve Cryptography digital authentication certificates. BD is currently testing and validating the Microsoft patch for BD products that use the affected third-party Windows versions. Please see the Product Security Patching website for all approved product security patching notifications. Additionally, BD recommends the following systems that use Windows 10, Windows Server 2016, and Windows Server 2019:
BD has received no reports of this third-party Microsoft vulnerability. The product list below is available for customers to help identify existing BD products that utilize Windows 10, Windows Server 2016, and Windows Server 2019. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.
*Only applicable if product is connected to Assurity Linc for remote service via RSS (Remote Service Solution)
Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s).
For product or site-specific concerns, contact your BD service representative. If you observe symptoms of this attack, disconnect your system from the network and contact your BD service representative.