Product Security

Dear Valued bioMérieux, Inc., Customer,

This letter is to raise your awareness of the Remote Desktop Services Remote Code Execution vulnerability targeting Microsoft Windows® operating systems that was reported globally by Microsoft on May 14, 2019. This vulnerability targets the Remote Desktop Protocol (RDP) on several Microsoft Windows® operating systems. bioMerieux devices rely on RDP as a critical function to providing remote support and accessibility, and therefore bioMerieux provides recommendations to protect against this vulnerability.

Summary

Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708 detailed as:

“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.”

Impacted systems in this communication's scope

ARGENE® CONNECT MYLA®
BRAF OBSERVA®
DIVERSILAB® PREVI® Isola
easyMAG® TEMPO®
EASYQ® VIDAS® 3
EASYSTREAM® VIDAS® PC
ESTREAM® VIGIGUARDTM
EMAG® VLINK®
EVISIGHT® VIRTUO®
FILMARRAY® 2.0 VITEK® 2 PC
FILMARRAY® Torch  VITEK® MS
GENE UP® VITEK® MS RUO

Which versions are impacted

Summary of impacted OS versions:

  • Microsoft Windows® XP SP0/SP1/SP2 or prior
  • Microsoft Windows® Embedded Standard 2009 (XPe SP3)
  • Microsoft Windows® Embedded Standard 7 SP0
  • Microsoft Windows® Embedded Standard 7 SP1
  • Microsoft Windows® Server 2008 R2 SP1

Non-impacted OS versions: 

  • Microsoft Windows® 10
  • Microsoft Windows® Server 2016

Recommendations

Update systems running Microsoft Windows® as soon as possible using the below guidelines:

  • Windows Embedded Standard 7 SP1 / Windows Server 2008 R2 SP1: Install May 2019 Monthly Rollup
  • Windows Embedded Standard 2009: Manually download and install KB4500331 “2019-05 Security Update for WES09 and POSReady 2009 for x86-based Systems” from https://www.catalog.update.microsoft.com/
  • RDP is enabled and required for remote support
  • Network Level Authentication (NLA): NLA is not to be enabled if currently disabled
  • Block TCP port 3389 at the enterprise perimeter firewall
  • Apply Windows security updates as they become available
  • Apply Windows security updates manually
  • Apply Windows security updates one at a time 
  • Do not update Internet Explorer or download other software updates without consulting your IT department and bioMérieux Customer Support.
  • Disconnect or isolate systems which can’t be updated on an isolated network
  • Replace all systems out of support by the latest available supported version
  • Never expose bioMérieux systems directly to the internet

Additional Resources

bioMérieux, Inc. is dedicated to ongoing product improvements in order to provide you with innovative diagnostic solutions and services that improve public health.

If there are any questions or concerns, please reach out to your IT department and the bioMérieux Customer Support Center at 1-800-682-2666 for assistance.

Thank you for your continued confidence in bioMérieux and its products.

Sincerely,
US Commercial Operations
bioMérieux, Inc.

Pioneering Diagnostics