true

Third party Vulnerability

Third-party Vulnerability: Microsoft Windows SmartScreen Security Feature Bypass

Background

Last updated: August 04, 2023

This notification is voluntarily shared by BD with Information Sharing and Analysis Organizations (ISAOs).

BD communicates with our customers about cybersecurity vulnerabilities to help healthcare providers manage potential risks through awareness and guidance.

BD is aware of and currently monitoring a vulnerability in Microsoft Windows SmartScreen that can result in a security feature bypass. This third-party vulnerability is not specific to BD or our products. Additionally, we have not received any reports of this vulnerability being exploited on BD products. BD is providing this update to let customers know which BD products could be affected by the following third-party Windows vulnerability:

  • CVE-2023-24880 - An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.

 

BD has not received any reports of this vulnerability being exploited on BD products.

This notification applies to the following BD products:

  • BD Accuri™ C6 Plus *
  • BD FACSAria™ Fusion *
  • BD FACSAria™ III *
  • BD FACSCanto™ 10-color *
  • BD FACSCanto™ 10-color clinical *
  • BD FACSCanto™ II *
  • BD FACSCanto™ II clinical *
  • BD FACSCelesta™ *
  • BD FACSLink™
  • BD FACSLyric™ *
  • BD FACSMelody™ *
  • BD FACS™ Sample Prep Assistant (SPA) III *
  • BD FACS™ Workflow Manager
  • BD FACSymphony™ A1
  • BD FACSymphony™              A3 / A5 *
  • BD FACSymphony™ S6
  • BD LSR II™ *
  • Influx™
  • LSRFortessa™ *
  • LSRFortessa™ X-20 *

Response

As of July 26, 2023, the BD products listed above marked with an asterisk (*) have a BD patch notification posted on the BD Bulletins and Patches website. The BD product patch bulletin will have March 2023 listed in the download column. BD is working to test and validate the patch(es) on the remaining BD products that use the third-party component. Please refer to the Bulletins and Patches page for all approved product security patching notifications. BD recommends the following mitigations and compensating controls to reduce the risk associated with this vulnerability:

  • BD products should be solely dedicated to their intended purposes.  
  • Ensure physical access controls are in place and only authorized end-users can access the BD products. 
  • If BD products must be connected to a network, ensure industry-standard network security policies and procedures are followed, including but not limited to:
    • Intrusion Detection/Prevention System to monitor network traffic
    • Network segmentation
    • Whitelist required websites only

Additional Resources

For product- or site-specific concerns, contact your BD service representative.