BD—Various Systems: May Be Susceptible to Third-Party Vulnerability

ECRI's complete weekly summary of medical device hazard and recall information is available in ECRI's Health Device Alerts. For more information contact us at clientservices@ecri.org. ​​

In a December 3, 2020, Product Security Bulletin, BD states that it is aware of and is currently monitoring Microsoft vulnerabilities affecting the Windows TCP/IP stack. This third-party vulnerability, which Microsoft corrected with an update released on October 13, 2020, is not specific to BD products. BD also states that it has received no reports regarding this vulnerability being exploited on BD products. CVE-2020-16898 is a remote code execution vulnerability that exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. If exploited, this vulnerability could allow an attacker to gain the ability to execute code on the target server or client. The Microsoft update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer. This vulnerability is not routable over the internet, but only over a local subnet. BD has not confirmed the...