United States
North America

Canada (FR)

Canada (EN)

Mexico

United States

South America

Argentina

Brasil

Chile

Colombia
Europe

Belgium (FR)

Belgium (NL)

Česká republika

Denmark

Europe

Suomi

France

Deutschland

Hebrew

Hungary (EN)

Hungary (HU)

Ireland

Italia

Nederland

Norge

Polska

Россия

España

Sverige

Schweiz

Türkiye

United Kingdom
Middle East / Africa

Middle East, North Africa

Africa

Asia / Pacific

Australia / New Zealand

中国

Greater Asia

India

Indonesia

日本

Korea

Malaysia

Philippines

Singapore

Thailand

Vietnam
Login

Third-party Vulnerability

Windows DNS Server

Sep 08, 2020

Bulletins

CRITICAL

BD is aware of and currently monitoring a Microsoft vulnerability, which affects Windows Domain Name System (DNS). This third-party vulnerability, which Microsoft corrected with their recent patch release, is not specific to BD or our products. Additionally, we have not received any reports regarding this vulnerability being exploited on BD products.

CVE-2020-1350 is a remote code execution vulnerability that exists in the way Windows DNS servers handle requests. This vulnerability affects Windows Server 2008, 2012, 2012 R2, 2016, and 2019 that are configured as DNS servers. If exploited, an unauthorized user could potentially execute custom code on the system in the context of the Local System Account. An unauthorized user could exploit this vulnerability by sending malicious traffic to Windows DNS servers. The security patch, made by Microsoft, addresses the vulnerability by correcting how Windows DNS servers handle requests.

BD is currently working to test and validate the Microsoft patch for BD products that use the affected third-party components. Please see the Product Security Patching website for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize Windows Server 2008, 2012, 2012 R2, 2016, and 2019 with DNS enabled:

Execute updates to malware protection, where available
Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures

BD has not received any reports of this third-party vulnerability. The product list below is available to customers to help identify existing BD products that utilize Windows Server 2008, 2012, 2012 R2, 2016, and 2019 with DNS enabled. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.

BD Alaris™ Systems Maintenance (ASM)
BD Alaris™ Systems Manager (SM)
BD FocalPoint™ Large Lab Server
BD HealthSight™ Clinical Advisor (Formerly MedMined)
BD HealthSight™ Data Manager
BD HealthSight™ Diversion Management
BD HealthSight™ Infection Advisor (Formerly MedMined)
BD HealthSight™ Inventory Optimization

BD Infusion Knowledge Portal™
BD Kiestra™ InoqulA
BD Kiestra™ ReadA
BD Kiestra™ TLA with a SCU
BD Kiestra™ WCA with a SCU
BD Medication Knowledge Portal™
BD Supply Knowledge Portal™
BD Synapsys™

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s).

Ensure the following Microsoft patches have been applied:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.