true

Third-party Vulnerability

Windows DNS Server

Background

BD is aware of and currently monitoring a Microsoft vulnerability, which affects Windows Domain Name System (DNS). This third-party vulnerability, which Microsoft corrected with their recent patch release, is not specific to BD or our products. Additionally, we have not received any reports regarding this vulnerability being exploited on BD products.

CVE-2020-1350 is a remote code execution vulnerability that exists in the way Windows DNS servers handle requests. This vulnerability affects Windows Server 2008, 2012, 2012 R2, 2016, and 2019 that are configured as DNS servers. If exploited, an unauthorized user could potentially execute custom code on the system in the context of the Local System Account. An unauthorized user could exploit this vulnerability by sending malicious traffic to Windows DNS servers. The security patch, made by Microsoft, addresses the vulnerability by correcting how Windows DNS servers handle requests.

 

Response

BD is currently working to test and validate the Microsoft patch for BD products that use the affected third-party components. Please see the Product Security Patching website for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize Windows Server 2008, 2012, 2012 R2, 2016, and 2019 with DNS enabled:

  • Execute updates to malware protection, where available
  • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures

BD Products that Utilize Affected Windows Products:

BD has not received any reports of this third-party vulnerability. The product list below is available to customers to help identify existing BD products that utilize Windows Server 2008, 2012, 2012 R2, 2016, and 2019 with DNS enabled. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.

  • BD Alaris™ Systems Maintenance (ASM)
  • BD Alaris™ Systems Manager (SM)
  • BD FocalPoint™ Large Lab Server
  • BD HealthSight™ Clinical Advisor (Formerly MedMined)
  • BD HealthSight™ Data Manager
  • BD HealthSight™ Diversion Management
  • BD HealthSight™ Infection Advisor (Formerly MedMined)
  • BD HealthSight™ Inventory Optimization
  • BD Infusion Knowledge Portal™
  • BD Kiestra™ InoqulA
  • BD Kiestra™ ReadA
  • BD Kiestra™ TLA with a SCU
  • BD Kiestra™ WCA with a SCU
  • BD Medication Knowledge Portal™
  • BD Supply Knowledge Portal™
  • BD Synapsys™

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s).

Ensure the following Microsoft patches have been applied:

For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.