true

Third-party Vulnerability

Netlogon Elevation of Privilege Vulnerability (Zerologon)

Background

BD is aware of and currently monitoring the Microsoft Netlogon elevation of privilege vulnerability (also known as Zerologon), affecting Netlogon Remote Protocol (MS-NRPC). This third-party vulnerability, which Microsoft is correcting through a phased two-part roll out that started on Aug. 11, 2020, is not specific to BD or our products. Additionally, we have not received any reports regarding this vulnerability being exploited on BD products.

CVE-2020-1472 is an elevation of privilege vulnerability that could allow an unauthorized user to establish a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). To exploit the vulnerability, an unauthenticated attacker would need to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

This vulnerability could potentially allow an attacker to run a specially crafted application on a device on the network.

This vulnerability was recently added to the list of third-party vulnerabilities threat actors could potentially use to infect systems with Ryuk Ransomware. For more information, please see our Ryuk Ransomware bulletin.

Response

Please see the Product Security Patching website for all available product security patches. Additionally, we recommend the following compensating controls for customers using BD products that utilize Netlogon Remote Protocol:

  • Implement or perform Deep Packet Inspection on your firewall product.
  • Monitor Domain Controller logs for activity related to this vulnerability. Especially on events containing the fields Security ID: ANONYMOUS LOGON, Account Name: ANONYMOUS LOGON or Account Domain: NT AUTHORITY.
  • Do not authorize untrusted devices to make use of the Domain Controllers.
  • Enable “Enforcement Mode.” Microsoft’s Change Management Guidance provides details for organizations to implement “Enforcement Mode” immediately.

BD Products that Leverage Netlogon Remote Protocol Versions:

BD has not received any reports of this third-party vulnerability being exploited on BD products. The product list below is available to customers to help identify existing BD products that utilize affected versions of Netlogon Remote Protocol. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.

  • BD Infusion Knowledge Portal™
  • BD Intelliport™
  • BD Kiestra™ InoqulA Standalone
  • BD Kiestra™ ReadA Standalone
  • BD Kiestra™ TLA/WCA
  • BD Supply Knowledge Portal™
  • BD HealthSight™ Clinical Advisor
  • BD HealthSight™ Data Manager
  • BD HealthSight™ Diversion Management
  • BD HealthSight™ Infection Advisor
  • BD HealthSight™ Inventory Optimization
  • BD Medication Knowledge Portal™

 

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity to maintain the correct security posture of the system(s). Ensure the following Microsoft guidelines have been followed:

 

For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.