true
Product Security Bulletin for Third-Party Win32k Vulnerability

Background

BD is aware of and currently monitoring two Microsoft vulnerabilities, which were announced on Dec. 10, 2019 and affect the Win32k graphic component within Windows products. These third-party vulnerabilities, which Microsoft corrected with their latest patch releases, are not specific to BD or our products. Additionally, we have not received any reports regarding these vulnerabilities being exploited on BD products.

CVE-2019-1458 is an elevation of privilege vulnerability that exists when the Win32k graphic component fails to properly handle objects in memory. In order to exploit this vulnerability, the attacker would need physical access to the system. This vulnerability affects Windows 10, 7, 8.1, 8.1 RT and Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016. The security patch, made by Microsoft, remediates this vulnerability by correcting how Win32k handles objects in memory.

CVE-2019-1468 is a remote code execution vulnerability that exists when the Windows font library improperly handles specially crafted embedded fonts. This vulnerability can be exploited in two ways:

  • An attacker could host an exploit on a malicious website and persuade the user to open the website through a social engineering tactic, such as a phishing email.
  • An attacker could share a malicious file and convince a user to open the document.

Accounts that operate with fewer user privileges could have less of an impact if exploited than those with administrative privileges. This vulnerability affects Windows 10, 7, 8.1, 8.1 RT and Windows Server 2008 R2, 2012, 2012 R2, 2016, 2019. The security patch, made by Microsoft, remediates this vulnerability by correcting how the Windows font library handles embedded fonts.

If successfully exploited, these third-party vulnerabilities would allow an attacker to take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Response

BD Products that Utilize Affected Windows Versions:

BD has not received any reports of these third-party Microsoft vulnerabilities. The product list below is available to customers to help identify existing BD products that utilize Windows 10, 7, 8.1, 8.1 RT and Windows Server 2008 R2, 2012, 2012 R2, 2016, 2019. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.

  • BD Accuri™
  • BD Alaris™ System Maintenance
  • BD Alaris™ Systems Manager Server
  • BD Alaris™ Guardrails Editor Software
  • BD Assurity Linc™
  • BD BACTEC BOW*
  • BD BACTEC FX*
  • BD BACTEC FX40*
  • BD Care Coordination Engine™
  • BD COR System™*
  • BD DataLink™
  • BD Epicenter™
  • BD FACSAria™
  • BD FACSCanto
  • BD FACSCelesta™
  • BD FACSJazz™
  • BD FACSLink™
  • BD FACSLyric™
  • BD FACSMelody™
  • BD FACSVerse™
  • BD FACSVia™
  • BD FACSSample Prep Assistant™ (SPA)
  • BD FACSymphony™*
  • BD Focal Point Screen Review Station
  • BD HealthSight Analytics™
  • BD Influx™
  • BD Intelliport™
  • BD Kiestra™ IdentifA*
  • BD Kiestra™ TLA*
  • BD Kiestra™ WCA*
  • BD Kiestra™ InoqulA*
  • BD Knowledge Portal™
  • BD LSR™
  • BD LSRFortessa™
  • BD MAX™*
  • BD MedMined™
  • BD Patient Association Application™ (PAA)
  • BD Phoenix™ M50*
  • BD Pyxis™ Anesthesia Station 4000
  • BD Pyxis™ Anesthesia Station ES™
  • BD Pyxis™ CathRack System
  • BD Pyxis™ CIISafe
  • BD Pyxis™ CUBIE Replenishment System
  • BD Pyxis™ IV Prep
  • BD Pyxis™ KanBan RF
  • BD Pyxis™ Logistics
  • BD Pyxis™ MedStation ES
  • BD Pyxis™ MedStation™ 4000
  • BD Pyxis™ Order Viewer
  • BD Pyxis™ PARx™
  • BD Pyxis™ PharmoPack™
  • BD Pyxis™ ProcedureStation™ system with Tissue and Implant Module
  • BD Pyxis™ Server ES
  • BD Pyxis™ SupplyStation
  • BD Pyxis™ Tissue & Implant Management System
  • BD Synapsys™
  • BD Totalys™ Multiprocessor*
  • BD Totalys™ SlidePrep*
  • BD Viper LT™*

Additional Resources

*Note: While these products are in scope of CVE-2019-1468, exposure to this vulnerability is limited as these devices should not be connected to the internet and should be either standalone or on an isolated, segmented network (per “Directions for Use”).

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s). 

Ensure the following Microsoft patches have been applied:

 

For product- or site-specific concerns, contact your BD service representative. If you observe symptoms of this attack, disconnect your system from the network and contact your BD service representative immediately.