Customer Service Notification

FSE ACCOUNT SECURITY UPDATE

GENERAL INFORMATION
GCS PORTAL Number 2023-404-0 CRM Number (If N/A
applicable):
REVISION TABLE
Issued date Revision number Purpose of revision – short description
02-AUG-2023 Rev. 0 Creation of the document

SCOPE
Context Description: FSE Account has to be changed on some systems
Product Reference(s) and Name: List of systems impacted in the content

Market: ✅ 10- Clinical (Clinical, Veterinary) ☐ 20- POL (= Physician Office Laboratory)
✅ 40 Food (Industry Food ) ✅ 60- Healthcare (Industry Pharma, Blood bank)

Impacted countries: All

Target Date: 30-SEP-2023

ACTIONS
Actions required

☐ No for information only

Yes: Actions required

Action at subsidiary/distributor level

Action at customer level: ☐ bioMérieux staff FSE/FAS/FIT action required at customer site
Action Doable remotely (eg VILINK® , Remote Video Service (RVS) or other tools)
Doable / To be done by the customer

☐ Deployment follow-up needed

Number: 2023-404-0 CSN title: FSE Account Security Update Page 1 of 7

Confidential Information Created from Template 026345 - Attachment 2 - Rev 06.A

ACTIONS DETAILS

ACTION(S) ON PRODUCT

Actions Description Field Workload Impacted function Target date

# Assessment (to be adjusted
Estimated according to your local
duration of organization)
actions
1 Record any request raised by the FSE/FAS/FIT/Hotline
customer related to the FSE account 5mn
security update
2 Answer to the customer verbally by using FSE/FAS/FIT/Hotline
15mn
this guide 30-SEP-2023
3 Check the translation of the letter and Administration
30mn
correct if necessary
4 Translate the customer letter if required for Administration
2 hours
translations not provided
5 Send the letter to the customers 2 hours Administration

6 Schedule and perform patch deployment FSE/FAS/FIT/Hotline

-
for each system in the scope

INSTALLED BASE UPDATE

N/A

IMPACT
Added value to perform action(s)

Update the FSE Account credentials for security purposes.

MATERIAL REQUIRED
Material needed: ☐ Yes ☐ No ✅ Optional (in case VILINK® can be used)

CONTENT

This CSN contains the customer letter related to the FSE account security update for some systems in the languages
listed below:

• English

For other languages please use the most appropriate for your own translation.

Number: 2023-404-0 CSN title: FSE Account Security Update Page 2 of 7

Confidential Information Created from Template 026345 - Attachment 2 - Rev 06.A

Below we have included answers to some potential frequently asked questions by customers regarding the FSE
account security update. This document is an internal conversation guide to answer your customers’ questions
verbally only-- it should not be shared with customers. Please use the Customer Letter to communicate directly
with your customers.

Please distribute this document only to those of your customer-facing team members who strictly need it.

CONTEXT / ISSUE

What is the FSE account used for and what happened?

The FSE account is an application account and not an operating system account, meaning you cannot enter Windows
with this account. This account is used by bioMérieux staff for maintenance, configuration and troubleshooting on
the application of our systems.

This account password must be updated for security reasons. This account has a high level of privilege on our
applications therefore it is mandatory to maintain a high level of security. After routine testing, bioMérieux has
determined that while many of our products are not impacted, some products need security update related to FSE
account credentials.

Customers have to follow the recommendations in this advisory, including applying current patch versions that will
be available over the course of July 2023.

Impacted Product List– Patch Available:

bioMérieux has determined that the products listed below are using the FSE account and should be patched.

System name System version

• 1.2.12.9
3P® STATION
• 2.1.5
• 1.1 (MW 1.4)
ARGENE® CONNECT
• 1.2 (MW 1.5)
• SP3
EMAG® • SP3 Patch #1
• SP3 Patch #2 for ARCO 1.2
• 1.1.x
ENDONEXTTM
• 2.0.x
• 1.1
ESTREAM®
• 1.2
• 3.1
GENE-UP®
• 3.2
SCANRDI® • 5.0.x
VIDAS® 3 • 1.4.x
VIDAS ® KUBE* • 1.0*
• R3
VIRTUO®
• R3.1
• 9.x
VITEK®2
• 10.x
• V3.0 Industry with MYLA**
VITEK® MS** • V3.1 Industry
• V3.2 Industry
VITEK® MS PRIME** • V1.0 Industry
VIDAS® 3 • 1.3.2

Number: 2023-404-0 CSN title: FSE Account Security Update Page 3 of 7

Confidential Information Created from Template 026345 - Attachment 2 - Rev 06.A

As a remediation, bioMérieux developed and released security patches. Two patches are available:
- Patch for all systems except VIDAS 3 v1.3.2
- Patch VIDAS 3 v1.3.2

After patch installation, a new password will be needed to log into the FSE account. This password will be
communicated on GCS Portal. We are actively working to include the new password in all our new releases. We will
keep you posted on this action.

For Customers using VILINK®, each bioMérieux subsidiary must remotely push patches to each product using
currently the FSE impacted account.

For Customers not using VILINK®, bioMérieux will publish patches for such products on the bioMérieux
cybersecurity webpage (password protected) below:

https://productupdate.biomerieux.com/
LOGIN: bmx_customer
Password: 4r8dP3nU

The patches will not impact the validated state of systems or their performance. The patches should be applied to
any installed and impacted system. For any subsequent company installations, please make sure the patch is applied
at the time of the installation by the FSE and this until further notice.

Important to notice: the FSE account credential will be modified only if it has not been modified manually before. If
for some reason the FSE password was changed to something else than the default one, the patch won’t be applied.

*Specific case for VIDAS® KUBE

For VIDAS® KUBE system, it is mandatory to apply the patch on the FlexPro and on VIDAS® KUBE Primary module.

**Specific case for VITEK® MS range in Industry

VITEK® MS v3.0 IND (with MYLA v4.3) will not be patched. MYLA v4.3 is obsolete, and it is not possible to run the
patch on this system. As a remediation, two options are possible:
- Customer system should be upgraded on the last version and the patch applied
- The password should be changed manually

FREQUENTLY ASKED QUESTIONS (FAQs)

Q: How to answer customer questions about this event?

A: We would recommend conveying the message that bioMérieux is currently reinforcing the security of its systems,
while abstaining from providing further specific details. It is essential to note that there is no legal obligation to disclose
any additional information on this matter.

Q: Can customers modify the password by themselves?

A: Yes, customers can use their own application administrator accounts to modify the FSE password. However,
applying the patch remains the preferred option.

Q: Do customers need to isolate their systems from the network?

A: No, the FSE account is not an Operating System account but only an application account, so they do not need to
isolate the systems.

Number: 2023-404-0 CSN title: FSE Account Security Update Page 4 of 7

Confidential Information Created from Template 026345 - Attachment 2 - Rev 06.A

 LINKED DOCUMENTS
# Internal Use Only
A CSN 2023-404-0 Service Documentation - 132168 - 01 - en - Patch FSE Credential Installation Link
Procedure
B CSN 2023-404-0 - platform-patch-ldap-core-1.0.0-2-setup Link
C CSN 2023-404-0 - vidas3-1-3-2-patch-ldap-core-1.0.0-1-setup Link

# Documents addressed to customers

A CSN 2023-404-0 - EN - Customer Letter Security update

CONTACT
Support: gcs_integratedsolutions@biomerieux.com

Author: Theo Proust And Frédéric Facon

Function: IT Specialist

Number: 2023-404-0 CSN title: FSE Account Security Update Page 5 of 7

Confidential Information Created from Template 026345 - Attachment 2 - Rev 06.A

 ACKNOWLEDGEMENT FORM (if applicable, for subsidiaries,
plants and export distributors outside CRM)
Applicable: Yes ☐ / No ☐
Yes (CSN managed in CRM) // If No, you can skip the following sections

GENERAL INFORMATION
CSN Title
GCS PORTAL Number CRM Number:
Overall Due Date
(Target Date)

SECTION 1: LOCATION
Group Company or Distributor Name(s) Country Account #

SECTION 2: ACKNOWLEDGEMENT OF RECEIPT (AR)

Print Name
Sign Name
Position
Date (dd/MMM/yyyy)

SECTION 3: ACTIONS REQUIRED (service tasks)

Check the appropriate box and follow the instructions for completion.
CSN Not Applicable: Provide justification for each sections A, B and C
Complete the signature box below in section D and return
form.

CSN Applicable: Complete the following sections A, B C.

Complete the signature box below and return form in
section D
3.A – Initial Notification to Customer

If Not Applicable: Provide justification: …………………………………………………………………………………

…………………………………………………………………………………………………………………..

if Applicable: Complete the information of the ‘’Initial Notification to Customer’’ in the space
below:

COMPLETION DATE (customer letter issue date): dd/MMM/yyyy

3.B – Actions on Products

If Not Applicable: Provide justification: …………………………………………………………………………………

…………………………………………………………………………………………………………………..

if Applicable: Complete the required information of the ‘’Actions on Product’’ in the space
below:

Number: 2023-404-0 CSN title: FSE Account Security Update Page 6 of 7

Confidential Information Created from Template 026345 - Attachment 2 - Rev 06.A

 Action(s) on Product

Actions # Completion Date

3.C– CHECKING PRE-REQUISITES

If Not Applicable: Provide justification: …………………………………………………………………………………

………………………………………………………………………………………………………………….
Complete the space below for ‘’the checking of the pre requisites’’ mentioned in
if Applicable: the CSN:

COMPLETION DATE : dd/MMM/yyyy

3.D– Other (if applicable)

If Not Applicable: Provide justification: …………………………………………………………………………………

………………………………………………………………………………………………………………….

if Applicable: Complete the following :

Other

Other # Completion Date

SECTION 4: ACKNOWLEDGEMENT OF COMPLETION (AC)

Complete the signature box below:

Print Name

Sign Name

Position

Date (dd/MMM/yyyy)

Number: 2023-404-0 CSN title: FSE Account Security Update Page 7 of 7

Confidential Information Created from Template 026345 - Attachment 2 - Rev 06.A