Third-party Vulnerability

Windows TCP/IP Remote Code Execution Vulnerability (Bad Neighbor)

Background

BD is aware of and currently monitoring Microsoft vulnerabilities affecting the Windows TCP/IP stack. This third-party vulnerability, which Microsoft corrected with an update released on Oct. 13, 2020, is not specific to BD or our products. Additionally, we have not received any reports regarding this vulnerability being exploited on BD products.

CVE-2020-16898 is a remote code execution vulnerability that exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. If exploited, this vulnerability could allow an attacker to gain the ability to execute code on the target server or client. The Microsoft update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.

To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer. This vulnerability is not routable over the internet, but only over a local subnet.

Response

BD is currently working to test and validate the Microsoft patch for BD products that use the affected third-party components. Please see the Product Security Patching website for all approved product security patching notifications. Please refer to Microsoft’s bulletin for additional compensating controls.

BD Products that Utilize Affected Windows TCP/IP:

BD has not received any reports of this third-party vulnerability being exploited on BD products. The product list below is available to customers to help identify existing BD products that utilize Windows TCP/IP. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.

  • BD Accuri™ C6 Plus
  • BD Assurity Linc™
  • BD COR™
  • BD DataLink™
  • BD FACSAria™ Fusion (w Diva v9.0.1)
  • BD FACSAria™ II (w Diva v9.0.1)
  • BD FACSAria™ III (w Diva v9.0.1)
  • BD FACSCanto™ 10-color (w Diva 9.0)
  • BD FACSCanto™ 10-color clinical (w Canto Clinical 4.0)
  • BD FACSCanto™ II (w Diva 9.0)
  • BD FACSCanto™ II clinical (w Canto Clinical 4.0)
  • BD FACSCelesta™ (w Diva 9.0)
  • BD FACSLyric™ (w FACSuite v1.4)
  • BD FACSMelody™
  • BD FACSSample Prep Assistant™ (SPA) III
  • BD FACSVerse™ (w FACSuite v1.0.6)
  • BD FACSymphony™ A3 / A5 (w Diva v9.1)
  • BD FACSymphony™ S6 (w Diva 9.1)
  • BD Pyxis™ Anesthesia Station ES*
  • BD Pyxis™ CathRack System*
  • BD Pyxis™ CIISafe*
  • BD Pyxis™ KanBan RF*
  • BD Pyxis™ MedStation™ ES*
  • BD Pyxis™ MedStation™ ES Integrated Main system*
  • BD Pyxis™ ProcedureStation™ system with Tissue and Implant module*
  • BD Pyxis™ SupplyStation (RFID)*
  • BD Pyxis™ SupplyStation™*
  • BD Totalys™ Multiprocessor
  • BD Veritor™ Connect
  • LSR II (w Diva v9.0)
  • LSRFortessa™ (w Diva v9.0)
  • LSRFortessa™ X-20 (w Diva v9.0)
  • Rowa™ Dose
  • Rowa™ vMotion
  • Rowa™ vMax

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s). Ensure the following Microsoft patch has been applied:

 

For product-or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.

*Only systems on Windows 10 1803 and 1809 are affected.