Product Security Bulletin for Third-Party Windows SMBv3 Vulnerability

United States
North America

Canada (EN)

Canada (FR)

United States

South America

América Latina (ES)

América Latina (PT)
Europe

Belgique

België

Česká republika

Deutschland

España

France

Israel

Italia

Nederland

Nordics

Österreich

Polska

Schweiz

United Kingdom
Middle East, North Africa, Turkey

Middle East, North Africa, Turkey

South Africa

Asia Pacific

Australia & New Zealand

中国

Greater Asia

India

日本

대한민국

Southeast Asia
Login

true

Bulletin and Patches

Jun 15, 2020

Bulletins

CRITICAL

BD is aware of and is currently monitoring a third-party vulnerability that affects Microsoft Server Message Block version 3.1.1 (SMBv3) protocol. This third-party vulnerability, which Microsoft corrected with their recent patch release, is not specific to BD or our products.

This remote code execution vulnerability, which affects Windows 10 only, impacts the way the SMBv3 protocol handles certain requests. The security patch, made by Microsoft, addresses the vulnerability by correcting how the SMBv3 protocol handles those requests. If successfully exploited, this vulnerability could potentially allow an unauthorized user to execute arbitrary code on the targeted system. Additionally, this third-party vulnerability can potentially be exploited in two ways:

An unauthorized user could send a specially crafted packet to a targeted SMBv3 server.
An unauthorized user could maliciously reconfigure an SMBv3 server and persuade a user to connect to it.

BD is currently working to test and validate the Microsoft patch for BD products that use the affected third-party components. Please see the Product Security Patching website for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize Windows 10.

Execute updates to malware protection, where available
Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures

BD has not received any reports of this third-party Microsoft vulnerability being exploited on BD products. The product list below is available to customers to help identify existing BD products that utilize Windows 10. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.

BD FACSAria™ Fusion
BD FACSAria™ II
BD FACSAria™ III
BD FACSCanto™ 10-color
BD FACSCanto™ II
BD FACSCelesta™
BD FACSLink™

BD FACSLyric™
BD FACSMelody™
BD FACSSample Prep Assistant™ (SPA)
BD FACSymphony™ A3/A5
BD FACSymphony™ S6
BD LSRFortessa™
BD LSR™ II

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s):

Ensure the following Microsoft patches have been applied:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

For product-or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by any of these third-party vulnerabilities, disconnect the device from the network and contact your BD service representative immediately.

true