Third-party Vulnerability



BD is aware of and currently monitoring vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries, collectively referred to as BadAlloc. These third-party vulnerabilities are not specific to BD or our products.

Of the 25 vulnerabilities known as BadAlloc, two have the potential to impact BD products. Neither are related to CISA Alert (AA21-229A). BD is providing this update to let customers know which BD products could be affected by these third-party vulnerabilities.

  • CVE-2020-28895 – In Windriver VxWorks, memory allocator has a possible overflow in calculating the memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
  • CVE-2020-35198 – In Windriver VxWorks, the APIs cacheDmaMalloc()/cacheArchDmaMalloc()/mmap64() align the size of the requested buffer with the memory page size of the target platform. If the requested size is large enough to cause integer overflow by the alignment calculation, a valid pointer to a buffer that is smaller than the requested size is returned, opening the door to use for heap overflow attacks.

There have been no reports of these vulnerabilities being exploited on BD products.

BD Products that Utilize affected Windriver VxWorks Products

The product list below identifies existing BD products that utilize in-scope Windriver VxWorks products. The list may be updated as more products are identified. In addition, this list does not indicate the patch or device status. Please check back periodically for updates.

The BD product listed below is in scope for CVE-2020-28895 and CVE-2020-35198:

  • BD FocalPoint™ Slide Profiler

Clinical Risk Assessment and Patient Safety Impact

A successful attack on the BD FocalPoint Slide Profiler may impact system availability (i.e., may cause system downtime, requiring a service visit). As cervical cytology slides can be evaluated manually when the system is unavailable, lack of system availability is not anticipated to introduce a significant delay in results reporting.


BD is evaluating options for remediating the vulnerability via an upgrade to the VxWorks operating system. Please refer to the Bulletins and Patches page for all approved product security patching notifications.

BD additionally recommends the following compensating controls for customers using BD products impacted by this vulnerability:

  • Customers should limit physical access to the affected devices to authorized users only. We recommend physically securing the system and its input devices behind barriers that require authentication or security clearance.
  • Customers with devices that utilize in-scope Windriver VxWorks products that are connected to an external network are advised to enforce network segmentation controls and proper network hygiene measures such as restricting external communication paths where applicable and isolating or containing vulnerable devices in zones accessible by authorized users.

Additional Resources

For product or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.

Chat with us
Our live chat is available between the hours of 8.30am - 5.00pm EST, Monday - Friday