Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708 detailed as:
“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.”
Impacted systems in this communication's scope
|FILMARRAY® 2.0||VITEK® 2 PC|
|FILMARRAY® Torch||VITEK® MS|
|GENE UP®||VITEK® MS RUO|
Which versions are impacted
Summary of impacted OS versions:
- Microsoft Windows® XP SP0/SP1/SP2 or prior
- Microsoft Windows® Embedded Standard 2009 (XPe SP3)
- Microsoft Windows® Embedded Standard 7 SP0
- Microsoft Windows® Embedded Standard 7 SP1
- Microsoft Windows® Server 2008 R2 SP1
Non-impacted OS versions:
- Microsoft Windows® 10
- Microsoft Windows® Server 2016
Update systems running Microsoft Windows® as soon as possible using the below guidelines:
- Windows Embedded Standard 7 SP1 / Windows Server 2008 R2 SP1: Install May 2019 Monthly Rollup
- Windows Embedded Standard 2009: Manually download and install KB4500331 “2019-05 Security Update for WES09 and POSReady 2009 for x86-based Systems” from https://www.catalog.update.microsoft.com/
- RDP is enabled and required for remote support
- Network Level Authentication (NLA): NLA is not to be enabled if currently disabled
- Block TCP port 3389 at the enterprise perimeter firewall
- Apply Windows security updates as they become available
- Apply Windows security updates manually
- Apply Windows security updates one at a time
- Do not update Internet Explorer or download other software updates without consulting your IT department and bioMérieux Customer Support.
- Disconnect or isolate systems which can’t be updated on an isolated network
- Replace all systems out of support by the latest available supported version
- Never expose bioMérieux systems directly to the internet
bioMérieux, Inc. is dedicated to ongoing product improvements in order to provide you with innovative diagnostic solutions and services that improve public health.
If there are any questions or concerns, please reach out to your IT department and the bioMérieux Customer Support Center at 1-800-682-2666 for assistance.
Thank you for your continued confidence in bioMérieux and its products.
US Commercial Operations