Product Security Bulletin for Third-Party Win32k Vulnerability

United States
North America

Canada (FR)

Canada (EN)

Mexico

United States

South America

Argentina

Brasil

Chile

Colombia
Europe

Belgium (FR)

Belgium (NL)

Česká republika

Denmark

Europe

Suomi

France

Deutschland

Hebrew

Hungary (EN)

Hungary (HU)

Ireland

Italia

Nederland

Norge

Polska

Россия

España

Sverige

Schweiz

Türkiye

United Kingdom
Middle East / Africa

Middle East, North Africa

Africa

Asia / Pacific

Australia / New Zealand

中国

Greater Asia

India

Indonesia

日本

Korea

Malaysia

Philippines

Singapore

Thailand

Vietnam
Login

Feb 18, 2020

Bulletins

CRITICAL

BD is aware of and currently monitoring two Microsoft vulnerabilities, which were announced on Dec. 10, 2019 and affect the Win32k graphic component within Windows products. These third-party vulnerabilities, which Microsoft corrected with their latest patch releases, are not specific to BD or our products. Additionally, we have not received any reports regarding these vulnerabilities being exploited on BD products.

CVE-2019-1458 is an elevation of privilege vulnerability that exists when the Win32k graphic component fails to properly handle objects in memory. In order to exploit this vulnerability, the attacker would need physical access to the system. This vulnerability affects Windows 10, 7, 8.1, 8.1 RT and Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016. The security patch, made by Microsoft, remediates this vulnerability by correcting how Win32k handles objects in memory.

CVE-2019-1468 is a remote code execution vulnerability that exists when the Windows font library improperly handles specially crafted embedded fonts. This vulnerability can be exploited in two ways:

An attacker could host an exploit on a malicious website and persuade the user to open the website through a social engineering tactic, such as a phishing email.
An attacker could share a malicious file and convince a user to open the document.

Accounts that operate with fewer user privileges could have less of an impact if exploited than those with administrative privileges. This vulnerability affects Windows 10, 7, 8.1, 8.1 RT and Windows Server 2008 R2, 2012, 2012 R2, 2016, 2019. The security patch, made by Microsoft, remediates this vulnerability by correcting how the Windows font library handles embedded fonts.

If successfully exploited, these third-party vulnerabilities would allow an attacker to take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

BD Products that Utilize Affected Windows Versions:

BD has not received any reports of these third-party Microsoft vulnerabilities. The product list below is available to customers to help identify existing BD products that utilize Windows 10, 7, 8.1, 8.1 RT and Windows Server 2008 R2, 2012, 2012 R2, 2016, 2019. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.

BD Accuri™
BD Alaris™ System Maintenance
BD Alaris™ Systems Manager Server
BD Alaris™ Guardrails Editor Software
BD Assurity Linc™
BD BACTEC BOW*
BD BACTEC FX*
BD BACTEC FX40*
BD Care Coordination Engine™
BD COR System™*
BD DataLink™
BD Epicenter™
BD FACSAria™
BD FACSCanto
BD FACSCelesta™
BD FACSJazz™
BD FACSLink™
BD FACSLyric™
BD FACSMelody™
BD FACSVerse™
BD FACSVia™
BD FACSSample Prep Assistant™ (SPA)
BD FACSymphony™*
BD Focal Point Screen Review Station
BD HealthSight Analytics™
BD Influx™
BD Intelliport™
BD Kiestra™ IdentifA*
BD Kiestra™ TLA*

BD Kiestra™ WCA*
BD Kiestra™ InoqulA*
BD Knowledge Portal™
BD LSR™
BD LSRFortessa™
BD MAX™*
BD MedMined™
BD Patient Association Application™ (PAA)
BD Phoenix™ M50*
BD Pyxis™ Anesthesia Station 4000
BD Pyxis™ Anesthesia Station ES™
BD Pyxis™ CathRack System
BD Pyxis™ CIISafe
BD Pyxis™ CUBIE Replenishment System
BD Pyxis™ IV Prep
BD Pyxis™ KanBan RF
BD Pyxis™ Logistics
BD Pyxis™ MedStation ES
BD Pyxis™ MedStation™ 4000
BD Pyxis™ Order Viewer
BD Pyxis™ PARx™
BD Pyxis™ PharmoPack™
BD Pyxis™ ProcedureStation™ system with Tissue and Implant Module
BD Pyxis™ Server ES
BD Pyxis™ SupplyStation
BD Pyxis™ Tissue & Implant Management System
BD Synapsys™
BD Totalys™ Multiprocessor*
BD Totalys™ SlidePrep*
BD Viper LT™*

*Note: While these products are in scope of CVE-2019-1468, exposure to this vulnerability is limited as these devices should not be connected to the internet and should be either standalone or on an isolated, segmented network (per “Directions for Use”).

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s). 

Ensure the following Microsoft patches have been applied:

For product- or site-specific concerns, contact your BD service representative. If you observe symptoms of this attack, disconnect your system from the network and contact your BD service representative immediately.