BD Totalys MultiProcessor Vulnerability
Use of Hard-coded Credentials vulnerability affects the Totalys MultiProcessor
Summary
Use of Hard-coded Credentials vulnerability affects the Totalys MultiProcessor
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
Becton, Dickinson and Company (BD) reported use of a hard-coded credential vulnerability in Totalys MultiProcessor, their system for processing of clinical tissue specimens. An attacker on a local network could exploit this vulnerability, which is known as CVE-2022-40263, to access, modify, or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI), and personally identifiable information (PII).
Vulnerability
CVE-2022-40263 - CWE-798 - USE OF HARD-CODED CREDENTIALS
The affected product uses hard-coded credentials, which could allow an attacker to access, modify, or delete sensitive information including ePHI, PHI, and PII. To exploit this vulnerability, a threat actor would need physical or network access to the system and would need to bypass any additional security controls. A CVSS v3 base score of 6.6 has been assigned.
Remediation advice
Affected organisations are encouraged to review CISA Medical Advisory ICSMA-22-277-01 and BD Totalys MultiProcessor-Hardcoded Credentials Bulletin
BD recommends the following compensating controls for users with versions of the BD Totalys MultiProcessor using hard-coded credentials:
- Ensure physical access controls are in place; only authorised end-users should have access to the BD Totalys MultiProcessor.
- If the BD Totalys MultiProcessor must be connected to a network, ensure industry standard network security policies and procedures are followed.
Note: According to BD, this vulnerability is scheduled to be remediated in the BD Totalys MultiProcessor version 1.71 software release expected in fourth quarter 2022.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 6 October 2022 4:39 pm