prod:prod_dcx-login
Critical Vulnerability Notification: CVE-2023-4863 Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2
BACKGROUND
The National Vulnerability Database is tracking vulnerability iCVE-2023-4863 which resides in Chromium Open Source Software (OSS) and is used to render webp images. The library is widely incorporated in web browsers which use libsebp library, including Microsoft Edge, Google Chrome, and Mozilla Firefox. The vulnerability enables a remote attacker to perform an out of bounds memory write via a crafted HTML page which may result in the execution of code that could potentially compromise systems.
CEPHEID PRODUCTS AFFECTED
The default browser used on Cepheid products is either Microsoft Internet Explorer or Edge. Cepheid does not ship our products with Google Chrome or Firefox web browsers and Microsoft Internet Explorer is not affected by this vulnerability. In addition, the Operator Manuals for our software include instructions not to install non-standard applications nor change settings for default applications shipped with computers or tablets.
ACTIONS REQUIRED BY CUSTOMERS
Remove and discontinue use of any unauthorized web browsers, including Google Chrome or Firefox. Check the current version of Microsoft Edge to ensure the version is Microsoft Edge (Stable) version 117.0.2045.31 or later. Note that allowing Microsoft Windows security updates will automatically enable the patch for affected customers. For further information onhow to determine your system’s version of Microsoft Edge, please consult your IT group or follow your organization's IT governance policies.
If you have any questions or concerns, please contact Cepheid technical support or one of the phone numbers/email addresses in your region.
Microsoft SQL Server 2016 Service Pack 3 on Windows 10 operating system running GeneXpert Xpertise 6.8 Software on Infinity Systems
BACKGROUND
This notice is to inform you that Cepheid has validated Microsoft SQL Server 2016 Service Pack 3 (KB5003279) for Infinity customers using GeneXpert Xpertise 6.8 software.
ACTIONS REQUIRED BY CUSTOMERS
The following Microsoft SQL Server 2016 Service Pack 3 is safe to install on the system running GeneXpert Xpertise 6.8 software:
• MS SQL Server 2016 Service Pack 3 (KB5003279) from https://www.microsoft.com/en-us/download/details.aspx?id=103440
Cepheid recommends shutting down the Xpertise software prior to performing the patch. A backup of the database using the Xpertise Application before the patch is installed is also highly recommended. For instructions on how to shut down the Xpertise software and back up the Xpertise software and user data, please consult the user manual. For further information regarding installation, please consult your IT group or follow your organization's IT governance policies.
End of Windows 7 Cybersecurity Support for GeneXpert® Systems
Updated June 30, 2023
BACKGROUND
Microsoft ended Windows 7 Operating System (OS) support in January 2020, discontinuing patches and updates. Consequently, Cepheid is no longer able to support the latest cybersecurity and privacy standards on Windows 7 OS computers. Your instrument software and current tests will continue to work with Windows 7 OS. However, as of June 30, 2023 all future GeneXpert Dx, Infinity Xpertise, or Xpert Check software releases (the GeneXpert systems) will not be compatible with Windows 7 OS.
For More Information, please see here
Log4Shell (Apache Log4j)
Updated July 8th, 2022
BACKGROUND
On December 10, 2021, a critical vulnerability (CVE-2021-44228) was reported in Apache Log4j. The
vulnerability impacts multiple versions of the Apache Log4j utility and the applications that use it. The
vulnerability allows an attacker to execute arbitrary code.
RESPONSE
Cepheid teams have successfully analyzed and addressed the potential security risk to our product portfolio, in the form of a revised software patch. Communication has been sent out to all the customers that may benefit from the software patch, outlining the process to request the patch. Customers are encouraged to request the patch for a more secure user experience.
Individuals or organizations with additional product security concerns are encouraged to contact their local Cepheid Technical support team at techsupport@cepheid.com or email productsecurity@cepheid.com
PrintNightmare Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527, CVE-2021-36947, CVE-2021-36936, CVE-2021-34483, CVE-2021-34481, CVE-2021-36958)
Updated Septemer 14th, 2021
BACKGROUND
On July 6th, 2021, Microsoft released a patch for a critical Remote Code Execution vulnerability to address CVE-2021-34527. The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. Since then, multiple CVE’s have been added as part of the combined “PrintNightmare” vulnerability, along with additional patches.
This vulnerability impacts all windows operating systems.
RESPONSE
Cepheid’s research and development teams are analyzing the Microsoft patches for CVE-2021-34527, CVE-2021-36947, CVE-2021-36936, CVE-2021-34483, CVE-2021-34481 for impact to affected products.
CryptoAPI
Updated January 20th, 2020
BACKGROUND
On January 14, 2020, Microsoft released patches to remediate 49 vulnerabilities within their monthly Patch Tuesday announcement. Amongst the available patches, is the vulnerability (CVE-2020-0601) affecting Microsoft Windows cryptographic functionality known as Windows CryptoAPI. The vulnerability affects GeneXpert systems running on Windows 10 Professional.
RESPONSE
Cepheid is aware of this identified vulnerability and is currently monitoring related developments. Cepheid has not received any reports of these vulnerabilities affecting the clinical use of our products and is evaluating the potential impact of the vulnerability on its products.
Cepheid has not yet confirmed compatibility of its GeneXpert systems with patches that mitigate CVE-2020-0601. The compatibility testing process is underway, and we expect it to be completed within the next several weeks.
If you would like to be notified when compatibility testing is completed, please contact your local Cepheid Technical support team or email productsecurity@cepheid.com.
DejaBlue
Updated September 13th, 2019
BACKGROUND
On August 13, 2019 Microsoft released a set of fixes for Remote Desktop Services that include two critical Remote Code Execution (RCE) vulnerabilities, CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226. Like the previously-fixed ‘BlueKeep’ vulnerability (CVE-2019-0708), these two vulnerabilities are also ‘wormable’, meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.
The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions.
Windows XP, Windows Server 2003, and Windows Server 2008 are not affected, nor is the Remote Desktop Protocol (RDP) itself affected.
RESPONSE
Cepheid has validated the installation of the following Microsoft patches for its GeneXpert systems and where appropriate, developed specific customer instructions for those systems. For detailed information on each Cepheid product, please see product list below.
If you have any questions, please contact your local Cepheid Technical support team or email productsecurity@cepheid.com.
| Software Version | Patch Location | Additional Steps |
|---|---|---|
| GeneXpert Dx | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181 |
Install patch for your operating system and build Restart computer |
| Xpertise G1 | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181 |
Install patch for your operating system and build Restart computer |
| Xpertise G2 | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181 |
Install patch for your operating system and build Restart computer |
| GeneXpert Xpress | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181 |
Install patch for your operating system and build Restart computer |
| Cepheid Link | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181 |
Install patch for your operating system and build Restart computer |
| XpertCheck | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181 |
Install patch for your operating system and build Restart computer |
CVE-2019-0708 Remote Desktop Protocol Vulnerability (Bluekeep)
Updated July 25th, 2019
BACKGROUND
On May 15th, 2019, Microsoft released a patch for a critical Remote Code Execution vulnerability in Remote Desktop Services (CVE-2019-0708). CVE-2019-0708 is a vulnerability, not a virus. This vulnerability can be exploited remotely without authentication on systems that use Remote Desktop Services as part of Windows XP and Windows 7.
RESPONSE
Cepheid has validated the installation of the Microsoft patch for CVE-2019-0708 and where appropriate, developed specific customer instructions for those systems. For detailed information on each Cepheid product, please see products list below.
If you have any questions, please contact your local Cepheid Technical support team or email productsecurity@cepheid.com.
| Product Line | Patch Location | Additional Steps |
|---|---|---|
| Dx SW | Win XP: https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708 |
Restart PC after installation of patch |
| Xpertise SW - G1 | Win XP: https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708 Win 7: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 |
Restart PC after installation of patch |
| Xpertise SW - G2 | Win XP: https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708 Win 7: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 |
Restart PC after installation of patch |
| Xpress | Win XP: https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708 Win 7: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 |
Restart PC after installation of patch |
| ONCore | Win XP: https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708 Win 7: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 |
Restart PC after installation of patch |
| Cepheid Link | Win XP: https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708 Win 7: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 |
Restart PC after installation of patch |
| XpertCheck | Win XP: https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708 Win 7: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 |
Restart PC after installation of patch |
Updated June 13th, 2019
RESPONSE
Cepheid is aware of this identified vulnerability and is currently monitoring related developments. Cepheid has not received any reports of these vulnerabilities affecting the clinical use of our products and is evaluating the potential impact of the vulnerability on its products.
Cepheid has not yet confirmed compatibility of its GeneXpert systems with patches that mitigate CVE-2019-0708. The compatibility testing process is underway, and we expect it to be completed within the next several weeks.
If you would like to be notified when compatibility testing is completed, please contact your local Cepheid Technical support team or email productsecurity@cepheid.com