BD Product Security Bulletin for Third-Party CryptoAPI Vulnerability

United States
North America

Canada (FR)

Canada (EN)

Mexico

United States

South America

Argentina

Brasil

Chile

Colombia
Europe

Belgium (FR)

Belgium (NL)

Česká republika

Denmark

Europe

Suomi

France

Deutschland

Hebrew

Hungary (EN)

Hungary (HU)

Ireland

Italia

Nederland

Norge

Polska

Россия

España

Sverige

Schweiz

Türkiye

United Kingdom
Middle East / Africa

Middle East, North Africa

Africa

Asia / Pacific

Australia / New Zealand

中国

Greater Asia

India

Indonesia

日本

Korea

Malaysia

Philippines

Singapore

Thailand

Vietnam
Login

Jan 31, 2020

Bulletins

CRITICAL

Microsoft recently announced a spoofing vulnerability that exists in the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) digital authentication certificates. This third-party vulnerability that Microsoft corrected with its latest patch release is not specific to BD or our products. However, BD would like to ensure its customers that utilize Windows 10, Windows Server 2016 and Windows Server 2019 are aware of the recent patch update through Microsoft. If exploited, an attacker could cause a man-in-the middle attack and decrypt confidential information on the affected system.

In order to exploit this vulnerability, an attacker would have to use a spoofed digital authentication certificate and deliver executable code, which would appear to the user as a trusted provider. This vulnerability can be exploited remotely.

We have had no reports of this vulnerability being exploited on BD’s products.

Microsoft released a patch that addresses this vulnerability by ensuring that Windows CryptoAPI completely validates Elliptic Curve Cryptography digital authentication certificates. BD is currently testing and validating the Microsoft patch for BD products that use the affected third-party Windows versions. Please see the Product Security Patching website for all approved product security patching notifications. Additionally, BD recommends the following systems that use Windows 10, Windows Server 2016, and Windows Server 2019:

Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures
Execute updates to malware protection, where available

BD has received no reports of this third-party Microsoft vulnerability. The product list below is available for customers to help identify existing BD products that utilize Windows 10, Windows Server 2016, and Windows Server 2019. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.

BD Alaris™ Systems Manager
BD Accuri™ C6 Plus
BD Assurity Linc™
BD BACTEC™ FX*
BD BACTEC™ FX40*
BD COR™ system
BD DataLink™
BD EpiCenter™*
BD FACSAria™
BD FACSCanto™
BD FACSCelesta™
BD FACSDuet™
BD FACSLyric™

BD FACSMelody™
BD FACSSample Prep Assistant™(SPA)
BD HealthSight Analytics™
BD Kiestra™ IdentifA*
BD LSR II™
BD LSRFortessa™
BD MAX™*
BD MedMined™
BD Phoenix™ M50*
BD Rhapsody™ Single-Cell Analysis System
BD Specimen Collection Verification™ (SCV)

*Only applicable if product is connected to Assurity Linc for remote service via RSS (Remote Service Solution)

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s).

Ensure the following Microsoft patches have been applied:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

For product or site-specific concerns, contact your BD service representative. If you observe symptoms of this attack, disconnect your system from the network and contact your BD service representative.