true

Third-party Vulnerability

Third-Party ESET – Privilege Escalation

Background

Last Updated: July 8, 2024

Original Publication: March 29, 2024 

This notification is voluntarily shared by BD with Information Sharing and Analysis Organizations (ISAOs).

BD communicates with our customers about cybersecurity vulnerabilities to help enable healthcare providers to manage potential risks through awareness and guidance.

BD is aware of and currently monitoring a vulnerability affecting multiple ESET products and versions. This third-party vulnerability is not specific to BD or our products. Additionally, we have not received any reports of this vulnerability being exploited on BD products. BD is providing this update to let customers know which BD products could be affected by the following third-party ESET vulnerability:

  • CVE-2024-0353 – The vulnerability in file operations handling, performed by the Real-time file system protection feature on the Windows operating system, potentially allows an attacker with an ability to execute low-privileged code on the target system to delete arbitrary files as NT AUTHORITY\SYSTEM, escalating their privileges.
    • CVSS: 7.8 (High) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Remediation

BEGIN UPDATE A: July 8, 2024

BD has made an update available for BD-managed products affected by this vulnerability. The update requires no downtime, and customers should have already received it automatically. To confirm this update has been applied to your product(s), please contact the Technical Support Center (TSC) through the Customer Self-Service Portal. If additional assistance is required, please call the TSC at (800) 727-6102.

END UPDATE A: July 8, 2024

Products that utilize impacted versions of ESET products

This notification applies to the following BD products: 

  • BD Care Coordination Engine™ (CCE)
  • BD Parata™ IntelliCab™ Will-Call System 
  • BD Parata™ IntelliVault™ Controlled Substance Management System
  • BD Pyxis™ Anesthesia Station 4000
  • BD Pyxis™ Anesthesia Station ES
  • BD Pyxis™ CathRack System
  • BD Pyxis™ CIISafe™
  • BD Pyxis™ CIISafe™ ES
  • BD Pyxis™ Enterprise Server
  • BD Pyxis™ IV Prep
  • BD Pyxis™ Logistics
  • BD Pyxis™ Medstation™ 4000
  • BD Pyxis™ Medstation™ ES
  • BD Pyxis™ Order Viewer
  • BD Pyxis™ PARx™
  • BD Pyxis™ StockStation™
  • BD Pyxis™ Supply Knowledge Portal
  • BD Pyxis™ SupplyStation™
  • BD Pyxis™ Tissue & Implant Management System

 

This list does not indicate the patch or device status. It may be updated if more products are identified. Please check back periodically for updates.

Customers that maintain patches independent of BD automated delivery should ensure the actions listed in the ESET advisory are performed in order to maintain the correct security posture of the system(s).

Response

BD is currently evaluating the ESET patch(es) and other mitigations for BD products that use the affected third-party component. Please check back periodically for updates. Please refer to the Bulletins and Patches page for all approved product security patching notifications.

Additionally, BD recommends the following mitigations and compensating controls to reduce the risk(s) associated with this vulnerability:

  • BD products should be used in a manner consistent with their approved workflows.  
  • Ensure physical access controls are in place and only authorized end-users can access the BD products. 
  • If BD products must be connected to a network, ensure industry-standard network security policies and procedures are followed, including but not limited to:
    • Intrusion Detection/ Prevention System to monitor network traffic
    • Network segmentation
  • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures. 

Additional Resources

For product- or site-specific concerns, contact your BD service representative.