Remote Desktop Services Remote Code Execution Vulnerability "BlueKeep"

This vulnerability does not impact products within the United States.

Background

BD is aware of and currently monitoring the Remote Desktop Services Remote Code Execution vulnerability. This vulnerability was announced by Microsoft on May 14, 2019. This vulnerability affects any systems that use Remote Desktop Services for Windows XP, Windows 7, Windows 2003 and Windows 2008. The vulnerability can be exploited remotely, in default configuration, and without any authentication. Remote Desktop Services must be able to communicate with the Remote Desktop Protocol (RDP) server to exploit this vulnerability.

An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Similar to the WannaCry malware, exploits to this vulnerability could spread from vulnerable computer to vulnerable computer. Please see BD’s previous response to WannaCry for more information.

Begin Update F: September 19, 2019

Patching for all impacted BD Biosciences instruments have been tested and approved for BD products running Remote Desktop Services with Windows XP and Windows 7 with the exception of BD Influx.™

A complete list of product security patches for this Remote Desktop Services Remote Code Execution vulnerability is listed on our Product Security Patches Website.

End Update F: September 19, 2019

Begin Update E: July 12, 2019

Patching for BD Diagnostics Systems products (BD MAX™, BD BACTEC™ Touch, BD EpiCenter™, BD Kiestra™ InoqulA, BD Kiestra™ TLA/WCA) have been tested and approved for products running Remote Desktop Services with Windows 7. Patches can be self-administered for BD EpiCenter™ or installed by BD field service support at the next scheduled maintenance interval. Patching will not be validated for BD Innova™ as this is a disconnected product with no network or internet connectivity.

Patching for all impacted BD Biosciences instruments have been tested and approved for BD products running Remote Desktop Services with Windows XP and Windows 7 with the exceptions of BD FACSLink™ and Influx™. Testing for these products is now expected by the end of July 2019.

End Update E

Begin Update D: June 26, 2019

Patching for BD Pyxis™ and BD Alaris™ suite of products have been tested and approved for BD products running Remote Desktop Services with Windows XP, Windows 7, Windows 2003 and Windows 2008. BD began to deploy patches to BD Pyxis™ and BD Alaris™ suite of products that are supported by BD on May 24, 2019. A communication was sent to targeted customers informing them of the patch deployment. The approved patches and product security scripts may initiate a restart of servers and workstations.

BD is continuing to test and validate the Microsoft patch for BD Biosciences instrument systems, expected by the end of June 2019. Patching for BD Diagnostic Systems products is expected by July 2019. Patching will not be validated for BD Innova™ as this is a disconnected product with no network or internet connectivity.

End Update D

Begin Update C: May 28, 2019

BD is continuing to test and validate the Microsoft patch for BD products that use remote desktop services. Patching for BD Biosciences instrument systems is expected by mid-late June 2019.

Patching for BD Pyxis™ and BD Alaris™ suite of products have been tested and approved for BD products running Remote Desktop Services with Windows XP, Windows 7, Windows 2003 and Windows 2008. BD will begin to deploy patches to BD Pyxis™ and BD Alaris™ devices that are supported by BD. A standard customer patch communication will be sent out with this information. The approved patches and product security scripts may initiate a restart of servers and workstations.

End Update C

Begin Update B: May 21, 2019

BD is continuing to test and validate the Microsoft patch for BD products that use remote desktop services. Patching for the BD Pyxis™ suite of products is expected by the end of May 2019. Patching for Diagnostic devices is expected by the end of June 2019.

BD has added to the list below in Update A in order to better help our customers identify any BD products running Remote Desktop Services running Windows XP, Windows 7, Windows 2003 and Windows 2008.

End Update B

Begin Update A: May 20, 2019

BD has provided the list below in order to better help our customers identify any BD products running Remote Desktop Services running Windows XP, Windows 7, Windows 2003 and Windows 2008. This list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.

  • BD Accuri™
  • BD FACSAria™
  • BD FACSCanto™
  • BD FACSCelesta™
  • BD FACSJazz™
  • BD FACSLink™
  • BD FACSLyric™
  • BD FACSSample Prep Assistant™
  • BD FACSVerse™
  • BD FACSVia™
  • BD FACSymphony™
  • Influx™
  • LSR II
  • BD BACTEC™ Touch
  • BD Kiestra™ InoqulA
  • BD MAX
  • BD Kiestra™ TLA\WCA
  • LSRFortessa™
  • BD EpiCenter™
  • BD Pyxis™ Anesthesia Station  
  • BD Pyxis™ CIISafe
  • BD Pyxis™ CUBIE Replenishment System
  • BD Pyxis™ MedStation™
  • BD Pyxis™ Order Viewer
  • BD Pyxis™ SupplyStation™
  • HealthSight Analytics
  • Site~Rite 8® Ultrasound Systems
  • FloChec™
  • HealthSight Data Manager: Common Formulary
  • Site~Rite Vision® 8 Ultrasound Systems
  • HealthSiteViewer
  • Rowa™ vMax
  • BD Innova™
  • BD Pyxis™ Enterprise Server

BD is continuing to test and validate the Microsoft patch for BD products that use remote desktop services.

End Update A

Response

BD has had no reports of this vulnerability being exploited on a BD product, but is currently working to test and validate the Microsoft patch for BD products that use Remote Desktop Services. Additionally, BD recommends the following for systems that use Remote Desktop Services and communicates with the RDP server for Windows XP, Windows 7, Windows 2003 and Windows 2008:

  • Enable Network Level Authentication (NLA) option in RDP server configuration.
  • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures
  • Execute updates to malware protection, where available

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s).

Additional Resources

For procedures specific to your product or site-specific concerns, contact your BD service representative. If you observe symptoms of this attack, disconnect your system from the network and contact your BD service representative immediately.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708

Last BD Publication Update: 05/15/2019
Original BD Publication Date: 05/15/2018

Chat with us
Our live chat is available between the hours of 8.30am - 5.00pm EST, Monday - Friday
×