Product Security Bulletin for Third-Party Windows SMBv3 Vulnerability

United States
North America

Canada (FR)

Canada (EN)

Mexico

United States

South America

Argentina

Brasil

Chile

Colombia
Europe

Belgium (FR)

Belgium (NL)

Česká republika

Denmark

Europe

Suomi

France

Deutschland

Hebrew

Hungary (EN)

Hungary (HU)

Ireland

Italia

Nederland

Norge

Polska

Россия

España

Sverige

Schweiz

Türkiye

United Kingdom
Middle East / Africa

Middle East, North Africa

Africa

Asia / Pacific

Australia / New Zealand

中国

Greater Asia

India

Indonesia

日本

Korea

Malaysia

Philippines

Singapore

Thailand

Vietnam
Login

Jun 15, 2020

Bulletins

CRITICAL

BD is aware of and is currently monitoring a third-party vulnerability that affects Microsoft Server Message Block version 3.1.1 (SMBv3) protocol. This third-party vulnerability, which Microsoft corrected with their recent patch release, is not specific to BD or our products.

This remote code execution vulnerability, which affects Windows 10 only, impacts the way the SMBv3 protocol handles certain requests. The security patch, made by Microsoft, addresses the vulnerability by correcting how the SMBv3 protocol handles those requests. If successfully exploited, this vulnerability could potentially allow an unauthorized user to execute arbitrary code on the targeted system. Additionally, this third-party vulnerability can potentially be exploited in two ways:

An unauthorized user could send a specially crafted packet to a targeted SMBv3 server.
An unauthorized user could maliciously reconfigure an SMBv3 server and persuade a user to connect to it.

BD is currently working to test and validate the Microsoft patch for BD products that use the affected third-party components. Please see the Product Security Patching website for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize Windows 10.

Execute updates to malware protection, where available
Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures

BD has not received any reports of this third-party Microsoft vulnerability being exploited on BD products. The product list below is available to customers to help identify existing BD products that utilize Windows 10. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.

BD FACSAria™ Fusion
BD FACSAria™ II
BD FACSAria™ III
BD FACSCanto™ 10-color
BD FACSCanto™ II
BD FACSCelesta™
BD FACSLink™

BD FACSLyric™
BD FACSMelody™
BD FACSSample Prep Assistant™ (SPA)
BD FACSymphony™ A3/A5
BD FACSymphony™ S6
BD LSRFortessa™
BD LSR™ II

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s):

Ensure the following Microsoft patches have been applied:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

For product-or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by any of these third-party vulnerabilities, disconnect the device from the network and contact your BD service representative immediately.