Skip to main content

BD Totalys MultiProcessor Vulnerability

Use of Hard-coded Credentials vulnerability affects the Totalys MultiProcessor

Threat ID:
CC-4182
Threat Severity:
Low
Threat Vector:
Vulnerability
Published:
6 October 2022 4:38 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Use of Hard-coded Credentials vulnerability affects the Totalys MultiProcessor

Affected platforms

The following platforms are known to be affected:

Versions: All versions 1.70 and prior

BD Totalys MultiProcessor

Threat details

Introduction

Becton, Dickinson and Company (BD) reported use of a hard-coded credential vulnerability in Totalys MultiProcessor, their system for processing of clinical tissue specimens. An attacker on a local network could exploit this vulnerability, which is known as CVE-2022-40263, to access, modify, or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI), and personally identifiable information (PII).

Vulnerability

CVE-2022-40263 - CWE-798 - USE OF HARD-CODED CREDENTIALS

The affected product uses hard-coded credentials, which could allow an attacker to access, modify, or delete sensitive information including ePHI, PHI, and PII. To exploit this vulnerability, a threat actor would need physical or network access to the system and would need to bypass any additional security controls. A CVSS v3 base score of 6.6 has been assigned.

Remediation advice

Affected organisations are encouraged to review CISA Medical Advisory ICSMA-22-277-01 and BD Totalys MultiProcessor-Hardcoded Credentials Bulletin

BD recommends the following compensating controls for users with versions of the BD Totalys MultiProcessor using hard-coded credentials:

  • Ensure physical access controls are in place; only authorised end-users should have access to the BD Totalys MultiProcessor.
  • If the BD Totalys MultiProcessor must be connected to a network, ensure industry standard network security policies and procedures are followed.

Note: According to BD, this vulnerability is scheduled to be remediated in the BD Totalys MultiProcessor version 1.71 software release expected in fourth quarter 2022.

Last edited: 6 October 2022 4:39 pm