Product Security

Dear Valued bioMérieux Customer,

This letter is to raise your awareness of the Remote Desktop Services Remote Code Execution vulnerability targeting Microsoft Windows® operating systems that was reported globally by Microsoft on August 13, 2019. This vulnerability targets the Remote Desktop Protocol (RDP) on several Microsoft Windows operating systems. bioMérieux, Inc. devices rely on RDP as a critical function to providing remote support and accessibility, and therefore bioMérieux provides recommendations to protect against this vulnerability.

Summary

Microsoft released a set of fixes for Remote Desktop Services that include two critical Remote Code Execution (RCE) vulnerabilities, CVE-2019-1181 and CVE-2019-1182. Like the previously-fixed ‘BlueKeep’ vulnerability (CVE-2019-0708), these two vulnerabilities are also ‘wormable’, meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.

Impacted systems in this communication's scope

BACT/ALERT^® VIRTUO^®	OBSERVA^®
DIVERSILAB^®	PREVI^®ISOLA
EASYSTREAM^®	TEMPO^®
EMAG^®	VIDAS^®3
ESTREAM^®	VIDAS^®PC
GENE UP^®	VLINK^®
MYLA^®	VITEK^®2
NUCLISENS^®easyMAG^®	VITEK^®MS
NUCLISENS EASYQ^®	Chemunex systems*

* (ScanRDI W10, D-Count 25/50). It is not recommended to connect the following systems to the network: ChemScan XP & W7, ScanRDI W7, D-Count II/BactiFlow ALS XP & W7 & W10.

Which versions are impacted

Summary of impacted OS versions:

Microsoft Windows^® Embedded Standard 7 SP0
Microsoft Windows^® Embedded Standard 7 SP1
Microsoft Windows^® Server 2008 R2 SP1
Microsoft Windows^® 10
Microsoft Windows^® Server 2016

Recommendations

Update systems running Microsoft Windows^® as soon as possible using the below guidelines:

Windows Embedded Standard 7 SP1 / Windows Server 2008 R2 SP1:
Install August 2019 Windows Monthly Rollup
Windows10 and Windows Server 2016:
Install August 2019 Windows Monthly Update
Network Level Authentication (NLA): NLA is not to be enabled if currently disabled
Block TCP port 3389 at the enterprise perimeter firewall
Apply Windows security updates as they become available
Apply Windows security updates manually
Apply Windows security updates one at a time
Do not update Internet Explorer or download other software updates without consulting your IT department and bioMérieux Customer Support.
Disconnect or isolate systems which can’t be updated on an isolated network
Replace all systems out of support by the latest available supported version
Never expose bioMérieux systems directly to the internet

Additional Resources

Blog post by Microsoft dated August 13, 2019 https://msrc-blog.microsoft.com/2019/08/13/patch-new-wormable-vulnerabilities-in-remote- desktop-services-cve-2019-1181-1182/
Microsoft security advisory regarding CVE-2019-1181 dated August 13, 2019 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1181
Microsoft security advisory regarding CVE-2019-1182 dated August 13, 2019 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1182

If there are any questions or concerns, please reach out to your IT department and the bioMérieux Customer Support Center at 1-800-682-2666 for assistance.

Sincerely,

US Commercial Operations

MAR 4495 • PRN 054449 Rev01.A

Product Security

Summary

Impacted systems in this communication's scope

Which versions are impacted

Recommendations

Additional Resources

Discover all our websitesOur websites

Global bioMérieux Clinical Diagnostics

Global bioMérieux Corporate

bioMérieux Investors Relations

Global Antimicrobial Resistance Site

bioMérieux Recruitment

bioMérieux Connection Blog

bioMérieux Press Room

bioMérieux University

bioMérieuxDIRECT™ Online Account

Search form

You are here

Product Security

Summary

Impacted systems in this communication's scope

Which versions are impacted

Recommendations

Additional Resources

Discover all our websitesOur websites