BD is aware of and currently monitoring three remote code execution vulnerabilities, which were announced by Microsoft on January 14, 2020 and affect Windows Remote Desktop capability. These third-party vulnerabilities, which Microsoft corrected with its latest patch releases, are not specific to BD or our products. Additionally, we have not received any reports regarding these third-party Microsoft vulnerabilities being exploited on BD products.
CVE-2020-0609 and CVE-2020-0610 exist in Windows Remote Desktop Gateway (RD Gateway) and could allow an unauthorized user to send specially crafted commands to the target systems while using Windows Remote Desktop Protocol (RDP) to connect. The security updates, made by Microsoft, address these vulnerabilities by correcting how RD Gateway handles connection requests. These vulnerabilities affect Windows Server 2012, 2012 R2, 2016, 2019.
In order to exploit these vulnerabilities an unauthorized user would need to send specially crafted commands to the target systems RD Gateway via RDP.
CVE-2020-0611 exists in the Windows Remote Desktop Client and could allow an unauthorized user to connect to a malicious server. The security update, made by Microsoft, address the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests. This vulnerability affects Windows 7, 8.1, RT 8.1, 10, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019. This vulnerability could potentially be exploited in two ways:
If successfully exploited these third-party vulnerabilities could allow an unauthorized user to execute custom code. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.
BD is currently working to test and validate the Microsoft patch for BD products that use the affected third-party components. Please see the Product Security Patching website for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize Windows 10, 7, 8.1, RT 8.1, Windows Server 2008, 2012, 2012 R2, 2016 and 2019.
BD has not received any reports of these third-party Microsoft vulnerabilities being exploited on BD products. The product lists below are available to help customers identify existing BD products that utilize Windows 7, 8.1, RT 8.1, 10, Windows Server 2008, 2012, 2012 R2, 2016, or 2019. The lists provided below are not comprehensive and may be updated as more products are identified. Note that these lists do not indicate the patch or device status.
BD Products that Utilize Remote Desktop and Windows Versions Affected by CVE-2020-0609 and CVE 2020-0610:
BD Products that Utilize Remote Desktop and Windows Versions Affected by CVE-2020-0611:
Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s).
For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by any of these third-party vulnerabilities, disconnect the device from the network and contact your BD service representative immediately.