BD is aware of and currently monitoring vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries, collectively referred to as BadAlloc. These third-party vulnerabilities are not specific to BD or our products.
Of the 25 vulnerabilities known as BadAlloc, two have the potential to impact BD products. Neither are related to CISA Alert (AA21-229A). BD is providing this update to let customers know which BD products could be affected by these third-party vulnerabilities.
There have been no reports of these vulnerabilities being exploited on BD products.
The product list below identifies existing BD products that utilize in-scope Windriver VxWorks products. The list may be updated as more products are identified. In addition, this list does not indicate the patch or device status. Please check back periodically for updates.
The BD product listed below is in scope for CVE-2020-28895 and CVE-2020-35198:
A successful attack on the BD FocalPoint Slide Profiler may impact system availability (i.e., may cause system downtime, requiring a service visit). As cervical cytology slides can be evaluated manually when the system is unavailable, lack of system availability is not anticipated to introduce a significant delay in results reporting.
BD is evaluating options for remediating the vulnerability via an upgrade to the VxWorks operating system. Please refer to the Bulletins and Patches page for all approved product security patching notifications.
BD additionally recommends the following compensating controls for customers using BD products impacted by this vulnerability:
For product or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.