Microsoft Windows Task Scheduler Vulnerability

United States
North America

Canada (FR)

Canada (EN)

Mexico

United States

South America

Argentina

Brasil

Chile

Colombia
Europe

Belgium (FR)

Belgium (NL)

Česká republika

Denmark

Europe

Suomi

France

Deutschland

Hebrew

Hungary (EN)

Hungary (HU)

Ireland

Italia

Nederland

Norge

Polska

Россия

España

Sverige

Schweiz

Türkiye

United Kingdom
Middle East / Africa

Middle East, North Africa

Africa

Asia / Pacific

Australia / New Zealand

中国

Greater Asia

India

Indonesia

日本

Korea

Malaysia

Philippines

Singapore

Thailand

Vietnam
Login

Jan 24, 2019

Bulletins

This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs).

It applies to BD products in scope in addition to products that are and are not actively supported by BD that run Microsoft Windows Operating Systems. BD engages in proactive communication around cybersecurity issues that have the potential to either directly or indirectly impact our products. Vulnerability disclosure is an essential component of BD’s culture of transparency to help ensure that customers have the necessary information to properly assess potential cybersecurity risk, even those caused by third-party software and/or operating systems.

Background

BD is aware of a Microsoft Windows vulnerability in the task scheduler, which could allow malicious attackers to gain elevated system privileges, if compromised. This vulnerability identified a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface. It has been observed targeting fully patched Microsoft Windows 10 64-bit and Windows Server 2016 operating systems. This is not a BD-specific vulnerability, and there have been no reports of a BD product being affected by this vulnerability.

--------- Begin Update B: January 24, 2019 ---------

Products in Scope

BD has provided a list of BD products in scope that use Microsoft Windows operating systems that are potentially vulnerable to this vulnerability.

Mitigations & Compensating Controls

BD will implement vendor patches, where maintained by BD, in the next BD's routine patch deployment process for products in scope. If you have a BD product in scope where BD maintains and administers patching administration, there is no customer action needed.

For customers that maintain patching management independent of BD updates, BD recommends implementing multiple layers of security controls in order to reduce risk associated with this vulnerability:

Ensure the vendor’s patches have been implemented as per local patch management policy
- Microsoft Advisory: Microsoft update for CVE-2018-8440
Ensure appropriate security controls are in place:
- Limit and monitor network share permissions
- Limit and monitor privileged accounts use
- Limit and monitor outbound network activity
- Application whitelisting technologies
- Use a firewall to block all incoming connections from the Internet to services that should not be publicly available
- Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures

--------- End Update B: January 24, 2019 ---------

For product or site-specific concerns, contact your BD service representative.

UCS-CERT: Vulnerability Note VU#906424

Last BD Publication Update: 01/24/2019
Original BD Publication Date: 08/31/2018