Security Advisories

bioMérieux continuously monitors the evolution of the global cybersecurity context and assesses vulnerabilities which may affect bioMérieux products. The present security advisories are intended to inform our customers about bioMérieux's response to relevant security events.

Multiple vulnerabilities in Treck TCP/IP stack (Ripple20)

(Latest update: October 14, 2020)

A list of vulnerabilities called “Ripple20” affecting a network software library used in a large variety of connected devices have been recently disclosed by the JSOF security research group. Some of these vulnerabilities affecting this TCP/IP stack developed by Treck Inc. have been confirmed as critical by CERTs (Computer Emergency Response Teams), as they may allow remote code execution or expose sensitive information.

We have evaluated the exposure of bioMérieux products as per our continuous threat monitoring process and have identified that HP SL-M4020ND printers delivered with some of our commercial systems in the past are affected by Ripple20 vulnerabilities when used through network connectivity instead of USB. We recommend our customers  verify if they use networked HP SL-M4020ND printers with their bioMérieux systems and to update the printers’ firmware. More information and instruction are available in HP’s security advisory.

No other severe impact has been identified at this point and the present communication will be updated as appropriate.

Please contact your local bioMérieux representative if you have any question.

JSOF research group page: https://www.jsof-tech.com/ripple20/
CERT Coordination Center advisory: https://kb.cert.org/vuls/id/257161
CISA Industrial Control System advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-168-01
HP advisory: https://support.hp.com/sk-en/document/c06640149

Windows CryptoAPI Spoofing Vulnerability

(Latest update: October 14, 2020)

Microsoft has disclosed a critical vulnerability (CVE-2020-0601) on January 14th 2020 affecting Windows capabilities to verify digital signatures. It can be exploited by a malicisous software, website or email to appear as signed by a trusted authority or by an attacker to decrypt confidential data in transit. Microsoft has released a set of patches as part of January's Windows Updates to correct this vulnerability.

We highly recommend our customers using bioMérieux systems running Windows 10 or Windows Server 2016 operating systems to install January's Windows security updates in accordance with the concerned systems instructions of use.

Please contact your local bioMérieux representative if you have any question.

Microsoft's advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

 

For any complementary information, please contact your local support representative