Third-party Vulnerability

Microsoft Win32k

Background

BD is aware of and currently monitoring a Microsoft Win32k zero-day vulnerability affecting all editions of Windows 10 and Windows Server 2019. This third-party vulnerability is not specific to BD or our products. Additionally, we have not received any reports of this vulnerability being exploited on BD products. BD is providing this update to let customers know which BD products could be affected by the following third-party vulnerability.

  • CVE-2021-1732 – Microsoft released a security advisory for a zero-day vulnerability that, if exploited, could allow for an elevation of privilege in Win32k, a core component of the Windows operating system. Impacted Microsoft Windows versions include: Windows 10 (all editions) and Windows Server 2019 (all editions).

BD products that utilize affected Microsoft Windows versions

The product list below identifies existing BD products that utilize in-scope Microsoft products. The list may be updated as more products are identified. In addition, this list does not indicate the patch or device status. Please check back periodically for updates.

The BD products listed below are in scope for CVE-2021-1732:

  • BD Accuri™ C6 Plus
  • BD Assurity Linc™ Plus
  • BD COR™
  • BD EpiCenter™ Data Management Center
  • BD FACSAria™ Fusion with FACSDiva™
  • BD FACSAria™ II with FACSDiva™
  • BD FACSAria™ III with FACSDiva™
  • BD FACSCanto™ 10-color with FACSDiva™
  • BD FACSCanto™ 10-color clinical with FACSCanto™ Clinical
  • BD FACSCanto™ II with FACSDiva™
  • BD FACSCanto™ II clinical with FACSCanto™ Clinical
  • BD FACSCelesta™ with FACSDiva™
  • BD FACSDuet™
  • BD FACSLink™
  • BD FACSLyric™ with FACSuite™ Clinical
  • BD FACSLyric™ with FACSuite™
  • BD FACSMelody™
  • BD FACS™ Sample Prep Assistant (SPA) III
  • BD FACSymphony™ A3/A5 with FACSDiva™
  • BD FACSymphony™ S6 with FACSDiva™
  • BD Kiestra™ InoqulA standalone
  • BD Kiestra™ ReadA standalone
  • BD Kiestra™ TLA
  • BD Kiestra™ WCA
  • BD LSR II with FACSDiva™
  • BD LSRFortessa™ with FACSDiva™
  • BD LSRFortessa™ X-20 with FACSDiva™
  • BD Pyxis™ Anesthesia Station ES
  • BD Pyxis™ CathRack System
  • BD Pyxis™ CIISafe
  • BD Pyxis™ KanBan RF
  • BD Pyxis™ MedStation™ ES
  • BD Pyxis™ MedStation™ ES Integrated Main system
  • BD Pyxis™ ProcedureStation™ system with Tissue and Implant module
  • BD Pyxis™ SupplyStation™ (RFID)
  • BD Pyxis™ SupplyStation™
  • BD Rowa™ - Dose (Windows 7 & Windows 10)
  • BD Rowa™ - Vmax
  • BD Rowa™ Vmotion

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity to maintain the correct security posture of the system(s) and ensure the proper Microsoft Windows patches have been applied:

Response

BD is currently working to test and validate the Microsoft patch(es) for BD products that use the affected third-party components. Some patches may already be available. Please refer to the Bulletins and Patches page for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize Microsoft Windows 10 and Microsoft Windows Server 2019:

  • Customers should limit physical access to the affected devices to authorized users only. We recommend physically securing the system and its input devices behind barriers that require authentication or security clearance, as feasible for products, depending on customer’s environment of use.
 
  • Customers with devices that utilize Microsoft Windows 10 and/or Microsoft Windows Server 2019 and are connected to an external network are advised to consider disconnecting those devices from the external network, as feasible, or apply appropriate network segmentation. We recommend customers place affected devices on an isolated network and follow industry standard best practices for network security measures, as feasible in the customer’s environment of use.
 
  • Execute updates to your malware protection, where available.
 
  • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures.
 
  • Disable any unnecessary accounts, protocols, and services.

Additional Resources

For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.