true
Bulletin and Patches

Third-party Vulnerability

VMware (VMware ESXi, Workstation, Fusion and NSX-T)
Jun 04, 2021 Bulletins CRITICAL

Background

BD is aware of and currently monitoring multiple VMware vulnerabilities affecting VMware ESXi, Workstation, Fusion and NSX-T. These third-party vulnerabilities, which VMware corrected with their Oct. 20, 2020 patch release, are not specific to BD or our products. Additionally, we have not received any reports of these vulnerabilities being exploited on BD products. Please see below for a list of BD products associated with these VMware components. Note that not all BD products listed in this bulletin are in scope for each CVE.

  • CVE-2020-3992: ESXi OpenSLP remote code execution vulnerability. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. To exploit this vulnerability, an unauthorized user would need to first penetrate the management network.
 
  • CVE-2020-3993: NSX-T MITM vulnerability. VMware NSX-T contains a security vulnerability that exists in the way it allows a Kernel-based Virtual Machine (KVM) host to download and install packages from NSX manager. A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node.
 
  • CVE-2020-3981: TOCTOU out-of-bounds read vulnerability. VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability due to a time-of-check time-of-use issue in Advanced Configuration and Power interface (ACPI) device. A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.
 
  • CVE-2020-3982: TOCTOU out-of-bounds write vulnerability. VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability due to a time-of-check time-of-use issue in ACPI device. A malicious actor with administrative access to a virtual machine may be able to exploit this vulnerability to crash the virtual machine's vmx process or corrupt hypervisor's memory heap.
 
  • CVE-2020-3994: vCenter Server session hijack vulnerability in update function. VMware vCenter Server contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.
 
  • CVE-2020-3995: VMCI host driver memory leak vulnerability. The VMCI host drivers used by VMware hypervisors contain a memory leak vulnerability. A malicious actor with access to a virtual machine may be able to trigger a memory leak issue resulting in memory resource exhaustion on the hypervisor if the attack is sustained for extended periods of time.

BD products that utilize affected VMware products

BD has not received any reports of these third-party vulnerabilities being exploited on BD products. The lists below are available to help customers identify existing BD products that utilize in-scope VMware products. The lists below are not comprehensive and may be updated as more products are identified; in addition, these lists do not indicate the patch or device status.

Note: The BD Alaris™ Systems Manager and BD Pyxis™ server products are each run in VMware ESXi environment, which either the customer or BD may provide. Customers who use a VMware ESXi environment with either the BD Alaris™ Systems Manager or BD Pyxis™ products are encouraged to update and maintain security patches directly through VMWare.

The BD products listed below support VMware ESXi and are in scope for CVE-2020-3992:

  • BD Alaris™ Systems Manager^
  • BD HealthSight™ Clinical Advisor
  • BD HealthSight™ Data Manager
  • BD HealthSight™ Diversion Management
  • BD HealthSight™ Infection Advisor
  • BD HealthSight™ Inventory Optimization
  • BD Intelliport™
  • BD Kiestra™ InoqulA Standalone
  • BD Kiestra™ ReadA Standalone
  • BD Kiestra™ TLA/WCA with a SCU
  • BD Knowledge Portal for Infusion Technologies
  • BD Medication Knowledge Portal™
  • BD Pyxis™ Enterprise Server*
  • BD Pyxis™ Logistics Server*
  • BD Pyxis™ MedStation™ 4000*
  • BD Pyxis™ SupplyStation*
  • BD Supply Knowledge Portal™

*CVE-2020-3992 ESXi OpenSLP remote code execution vulnerability: Port 427 is not recommended to be opened during implementation for the BD Pyxis™ suite of products or BD Alaris™ Systems Manager.

^The BD Alaris™ Systems Manager is run in a VMware ESXi environment, which the customer provides. Customers who utilize VMWare ESXi with the BD Alaris™ Systems Manager are responsible for updating and maintaining security patches for VMWare ESXi as it resides within the customer's network infrastructure.

Additionally, the BD products listed below also utilize Workstation, Fusion and/or NSX-T and are in scope for CVE-2020-3981, CVE-2020-3982, CVE-2020-3994, CVE-2020-3995:

  • BD HealthSight™ Clinical Advisor
  • BD HealthSight™ Data Manager
  • BD HealthSight™ Diversion Management
  • BD HealthSight™ Infection Advisor
  • BD HealthSight™ Inventory Optimization
  • BD Intelliport™
  • BD Kiestra™ InoqulA Standalone
  • BD Kiestra™ ReadA Standalone
  • BD Kiestra™ TLA/WCA with a SCU
  • BD Knowledge Portal for Infusion Technologies
  • BD Medication Knowledge Portal™
  • BD Supply Knowledge Portal™

Customers that maintain patches independent of BD automated delivery are responsible for maintaining the correct security posture of their system(s) and should ensure related VMware patches have been applied: https://www.vmware.com/security/advisories/VMSA-2020-0023.html.

For productor site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.

Response

BD is currently working to test and validate the VMware patch(es) for BD products that use the affected third-party components. Some patches may already be available. Please refer to the BD Cybersecurity Trust Center Bulletins and Patching for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize VMware ESXi, Workstation, Fusion and NSX-T:

  • Execute updates to malware protection, where available
  • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures
  • Disable any unnecessary accounts, protocols and services
  • Do not allow unauthenticated users access to the network

Additional Resources

For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.

true