Bulletins
This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs).
It applies to products that are actively supported. BD has established a routine practice of seeking, communicating, and addressing cybersecurity issues in products in a timely fashion. Vulnerability disclosure is an essential component to BD’s approach to transparency by enabling customers to properly manage risk through awareness and guidance.
This notification provides product security information and recommendations related to a security vulnerability identified in several recently shipped FACSLyric™ flow cytometry systems. The contents of this notification are disclosed publicly on the BD Product Security website ( http://www.bd.com/productsecurity) and are voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the Health Information Sharing and Analysis Center (H-ISAC
This notification applies to BD FACSLyric™ flow cytometry systems having the Windows 10 Professional Operating System (OS), sold in the U.S. and in Malaysia between November 2017 and November 2018. The vulnerability impacts twelve customer with BD FACSLyric™ Research Use Only (RUO) systems with the Windows 10 Professional OS and three BD FACSLyric™ IVD systems with the same operating system sold in the U.S. to a single customer. This vulnerability does not impact BD FACSLyric™ flow cytometry systems with Windows 7.
The BD FACSLyric™ flow cytometry system is a high-performance cell analyzer used for clinical and research testing.
On October 30, 2018, BD internally identified and confirmed the default administrator account used on the BD FACSLyric™ systems running Windows 10 Operating System was not disabled by BD before distribution. This could allow users to obtain full access to the critical configuration of the Windows Operating System by utilizing this privileged account on the workstation associated with the BD FACSLyric™ flow cytometer.
BD is voluntarily recalling the workstations related to the three BD FACSLyric™ IVD Cell Analyzer systems that were sold to a single customer. This voluntary recall is to ensure compliance with BD internal policies and not due to a mandated FDA requirement. This recall notice will be published on the Medical Device Safety site hosted by the FDA.
BD has conducted internal risk assessments for this vulnerability and has also collaborated with the U.S. Department of Homeland Security (DHS), the U.S. Food and Drug Administration (FDA), and independent security researchers to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within your own organization.
CVSS: 6.8 (Medium) CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This vulnerability score is based on the following rationale and characterizations, which BD used in completing the risk assessment:
BD characterizes the vulnerability as a privilege escalation. The vulnerability is only exploitable by an attacker with physical access to the workstation associated with the BD FACSLyric™. BD notes that an attacker would need only a basic understanding of the Windows Operating System to exploit the vulnerability, and no additional privileges or user interaction would be required. As a result, BD characterizes the attack complexity as low according to CVSS specification documents. If an attacker were to exploit the vulnerability, that person could access and/or manipulate data and information stored on the workstation and could gain access to the critical configuration of the Windows Operating System, potentially disabling system and data protection safeguards. Based on this, BD characterizes the impact on data and/or system integrity and the impact on availability as high. BD characterizes the confidentiality risk as high because, if a customer stores confidential information on the workstation, that information could be accessed.
BD will follow-up directly with affected customers to perform remediation activities.
- BD has contacted the single clinical customer impacted and replace the computer workstations for the three BD FACSLyric™ IVD Cell Analyzer units with the Windows 10 Pro Operating System.
- For the remaining customers, BD will disable the administrative account for customers with BD FACSLyric™ RUO Cell Analyzer units having the Windows 10 Pro Operating System.
For technical support, please contact the BD Biosciences General Tech Support - Flow Cytometry via email researchapplications@bd.com or phone 877-232-8995 option 2 and then option 2 again.
For more information on BD’s proactive approach to product security and vulnerability management, contact our Product Security Office: https://www.bd.com/productsecurity
News on the BD FACSLyric™ systems:
BD announces completion of enterprise level cybersecurity assessment from UL
January 2019
Administrator Account Enabled in BD FACSLyric™ Cell Analyzer Systems with Windows 10 Professional
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners. BD Franklin Lakes, NJ 07417 United States bd.com
BD
Franklin Lakes, NJ
07417
United States
bd.com
© 2019 BD
Last BD Publication Update: 01/29/2019
Original BD Publication Date: 01/29/2019