Skip to main content

BD Vulnerabilities in Synapsys

Becton, Dickinson and Company (BD) have reported an insufficient session expiration vulnerability in Synapsys, a software application delivering data management and workflow functionality across clinical diagnostic activities in a laboratory

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Becton, Dickinson and Company (BD) have reported an insufficient session expiration vulnerability in Synapsys, a software application delivering data management and workflow functionality across clinical diagnostic activities in a laboratory


Affected platforms

The following platforms are known to be affected:

Threat details

Introduction

Becton, Dickinson and Company (BD) have reported that there is a vulnerability in Synapsys, their microbiology informatics solution platform.  The vulnerability known as CVE-2022-30277 has a CVSSv3 score of 5.7 relates to insufficient session expiration.

BD claim that the probability of an unauthorised physical breach of a BD Synapsys workstation would be negligible due to the sequence of events that must occur in a specific order. However, successful exploitation could lead to modification of electronic protected health information (ePHI), protected health information (PHI), and personally identifiable information (PII).  Modification of this information could result in delayed or incorrect treatment.


Remediation advice

Affected organisations should review the CISA Medical Advisory (ICSMA-22-151-02) BD Synapsys and the BD security advisory BD Synapsys – Insufficient Session Expiration and follow the relevant workarounds until updates are released.

BD is expecting to release updates. BD Synapsys v4.20 SR2 will be released in June 2022 and will remediate this vulnerability. Customers receiving BD Synapsys v4.30 will be allowed to upgrade to v5.10, which is expected to be available by August 2022.



Last edited: 1 June 2022 4:46 pm