true
Product Security Bulletin for Third-Party Remote Desktop Vulnerabilities

Background

BD is aware of and currently monitoring three remote code execution vulnerabilities, which were announced by Microsoft on January 14, 2020 and affect Windows Remote Desktop capability. These third-party vulnerabilities, which Microsoft corrected with its latest patch releases, are not specific to BD or our products. Additionally, we have not received any reports regarding these third-party Microsoft vulnerabilities being exploited on BD products.

CVE-2020-0609 and CVE-2020-0610 exist in Windows Remote Desktop Gateway (RD Gateway) and could allow an unauthorized user to send specially crafted commands to the target systems while using Windows Remote Desktop Protocol (RDP) to connect. The security updates, made by Microsoft, address these vulnerabilities by correcting how RD Gateway handles connection requests. These vulnerabilities affect Windows Server 2012, 2012 R2, 2016, 2019.

In order to exploit these vulnerabilities an unauthorized user would need to send specially crafted commands to the target systems RD Gateway via RDP.

CVE-2020-0611 exists in the Windows Remote Desktop Client and could allow an unauthorized user to connect to a malicious server. The security update, made by Microsoft, address the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests. This vulnerability affects Windows 7, 8.1, RT 8.1, 10, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019. This vulnerability could potentially be exploited in two ways:

  • An unauthorized user could take control of a server and then convince a user to connect to it through a social engineering tactic, DNS poisoning or a Man in the Middle method.
  • An unauthorized user could also compromise a server, execute malicious code on it and wait for the user to connect to it.

If successfully exploited these third-party vulnerabilities could allow an unauthorized user to execute custom code. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.

Response

BD is currently working to test and validate the Microsoft patch for BD products that use the affected third-party components. Please see the Product Security Patching website for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize Windows 10, 7, 8.1, RT 8.1, Windows Server 2008, 2012, 2012 R2, 2016 and 2019.

  • Execute updates to malware protection, where available
  • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures

BD Products that Utilize Affected Windows Versions:

BD has not received any reports of these third-party Microsoft vulnerabilities being exploited on BD products. The product lists below are available to help customers identify existing BD products that utilize Windows 7, 8.1, RT 8.1, 10, Windows Server 2008, 2012, 2012 R2, 2016, or 2019. The lists provided below are not comprehensive and may be updated as more products are identified. Note that these lists do not indicate the patch or device status.

BD Products that Utilize Remote Desktop and Windows Versions Affected by CVE-2020-0609 and CVE 2020-0610:

  • BD FocalPoint™ Large Lab Server
  • BD Kiestra™ InoqulA
  • BD Kiestra™ TLA
  • BD Kiestra™ WCA
  • BD Specimen Collection Verification™ (SCV)

 

BD Products that Utilize Remote Desktop and Windows Versions Affected by CVE-2020-0611:

  • BD BACTEC™ Touch
  • BD EpiCenter™
  • BD HealthSight Analytics™
  • BD Kiestra™ InoqulA
  • BD Kiestra™ TLA
  • BD Kiestra™ WCA
  • BD Knowledge Portal™
  • BD MAX™
  • BD MedMined™
  • BD Specimen Collection Verification™ (SCV)

 

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s).

 

For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by any of these third-party vulnerabilities, disconnect the device from the network and contact your BD service representative immediately.