true

Third-party Vulnerability

Internet Explorer (CVE-2020-0674)

Background

BD is aware of and currently monitoring a Microsoft vulnerability, which was announced on January 21, 2020 and affects Internet Explorer. This third-party vulnerability, which Microsoft corrected with their February patch release, is not specific to BD or our products. Additionally, we have not received any reports regarding this vulnerability being exploited on BD products.

CVE-2020-0674 is a remote code execution vulnerability that exists in the way that the scripting engine handles objects in memory in Internet Explorer. This vulnerability affects Internet Explorer 9, 10, and 11 which Windows 7, 8, 10, and Windows Server 2008 R2, 2012, 2016, and 2019 utilize. The security patch, made available by Microsoft, addresses the vulnerability by modifying how the script engine handles objects in memory.

This vulnerability could cause memory corruption and could allow an unauthorized user to execute custom code that would appear to come from the authorized account. If successfully exploited, an unauthorized user would be able to gain the same user rights as a logged in user. This vulnerability can be exploited through a web-based attack scenario if a user browsed to a malicious website through Internet Explorer.

Response

BD is currently working to test and validate the Microsoft patch for BD products that use the affected third-party components. Please see the Product Security Patching website for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize Internet Explorer 9, 10, and 11.

  • Execute updates to malware protection, where available
  • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures

Begin Update A: September 15, 2020

After further assessment, BD identified additional products in scope of this vulnerability. BD continues to test and validate the Microsoft patch for BD products using Internet Explorer 9, 10, and 11. For all approved patching notifications, please see the Product Security Patch website.

  • BD Accuri™ C6
  • BD FACSJazz™
  • BD FACSVia™
  • BD Influx™

End Update A: September 15, 2020:

BD Products that Utilize Affected Windows Versions:

BD has not received any reports of this third-party Microsoft vulnerability being exploited on BD products. The product list below is available to customers to help identify existing BD products that utilize Internet Explorer 9, 10, and 11. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.

  • BD Assurity Linc
  • BD BACTEC BOW*
  • BD BACTEC FX*
  • BD BACTEC FX40*
  • BD COR System*
  • BD DataLink
  • BD EpiCenter
  • BD Focal Point Screen Review Station*
  • BD MAX*
  • BD Assurity Linc
  • BD BACTEC BOW*
  • BD BACTEC FX*
  • BD BACTEC FX40*
  • BD COR System*
  • BD DataLink
  • BD Pyxis™ IV Prep
  • BD Pyxis™ KanBan RF
  • BD Pyxis™ Logistics
  • BD Pyxis™ MedStation 3500
  • BD Pyxis™ MedStation™ 4000
  • BD Pyxis™ MedStation™ ES
  • BD Pyxis™ Order Viewer
  • BD Pyxis™ PharmoPack™
  • BD Pyxis™ ProcedureStation™ system with Tissue and Implant module
  • BD Pyxis™ Server ES
  • BD Pyxis™ SupplyStation
  • BD Pyxis™ Tissue & Implant Management System
  • BD Totalys™ Multiprocessor*
  • BD Totalys™ SlidePrep*
  • BD Viper LT*

Additional Resources

  • *Note: While these products are within scope of this vulnerability, exposure to this vulnerability is limited as these devices should not be connected to the internet and should be either standalone or on an isolated, segmented network (per “Directions for Use”).
  • Customers that maintain patches independently of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s).
  • Ensure the following Microsoft patches have been applied:
  • For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, discontent the device from the network and contact your BD service representative immediately.