This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs).
It applies to BD products in scope in addition to products that are and are not actively supported by BD that run Microsoft Windows Operating Systems. BD engages in proactive communication around cybersecurity issues that have the potential to either directly or indirectly impact our products. Vulnerability disclosure is an essential component of BD’s culture of transparency to help ensure that customers have the necessary information to properly assess potential cybersecurity risk, even those caused by third-party software and/or operating systems.
BD is aware of a Microsoft Windows vulnerability in the task scheduler, which could allow malicious attackers to gain elevated system privileges, if compromised. This vulnerability identified a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface. It has been observed targeting fully patched Microsoft Windows 10 64-bit and Windows Server 2016 operating systems. This is not a BD-specific vulnerability, and there have been no reports of a BD product being affected by this vulnerability.
--------- Begin Update B: January 24, 2019 ---------
Products in Scope
BD has provided a list of BD products in scope that use Microsoft Windows operating systems that are potentially vulnerable to this vulnerability.
Mitigations & Compensating Controls
BD will implement vendor patches, where maintained by BD, in the next BD's routine patch deployment process for products in scope. If you have a BD product in scope where BD maintains and administers patching administration, there is no customer action needed.
For customers that maintain patching management independent of BD updates, BD recommends implementing multiple layers of security controls in order to reduce risk associated with this vulnerability:
--------- End Update B: January 24, 2019 ---------
For product or site-specific concerns, contact your BD service representative.
UCS-CERT: Vulnerability Note VU#906424
Last BD Publication Update: 01/24/2019
Original BD Publication Date: 08/31/2018