true
BD Synapsys™– Insufficient Session Expiration

Background

This notification provides product security information and recommendations related to insufficient session expiration vulnerability in specific versions of BD Synapsys™ Informatics Solution. For maximum awareness, BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC).

Products in Scope

  • BD Synapsys™ – versions 4.20, 4.20 SR1, and 4.30

Vulnerability Details

CVE-2022-30277 - BD Synapsys™, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may have an extended period of time to be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII).

BD Synapsys™ is a software application delivering data management and workflow functionality across clinical diagnostic activities in a laboratory. To exploit this vulnerability, a threat actor would need to gain access to the customer environment and physical access to a BD Synapsys™ workstation.

This vulnerability was discovered by BD through standard internal testing. There have been no reports of this vulnerability being exploited in a laboratory setting.

Vulnerability Score

Rationale: The Base CVSS score is based on exploitability (which includes the attack vector, attack complexity, privileges required and user interaction), scope and potential impact to confidentiality, integrity and availability. In this case, a threat actor would have to have physical access to a workstation running BD Synapsys™. The attack complexity is Low, since no special access or conditions are needed once access to a BD Synapsys™ is obtained. The exploitation requires low-level privileges including access to the physical lab or the hospital network and requires user interaction. The scope of the vulnerability is unchanged as it only impacts the BD Synapsys™. The vulnerability can have a high impact to confidentiality as the system contains sensitive information. The impact to integrity is also High as successful exploitation potentially allows for an unauthorized user to modify BD Synapsys™ data.

Clinical Risk Assessment and Patient Safety Impact

BD has assessed this vulnerability for clinical impact and concluded that the probability of an unauthorized physical breach of a BD Synapsys™ workstation would be negligible due to the sequence of events that must occur in a specific order. However, successful exploitation could lead to modification of ePHI, PHI, or PII, which could cause delayed or incorrect treatment.

Mitigations and Compensating Controls

BD Synapsys™ v4.20 SR2 will be released in June 2022 and will remediate this vulnerability. Customers receiving BD Synapsys™ v4.30 will be allowed to upgrade to v5.10, which is expected to be available by August 2022.

Additionally, BD recommends the following compensating controls for customers using the impacted versions of BD Synapsys™:

  • Configure the inactivity session timeout in the operating system to match the session expiration timeout in BD Synapsys™.
  • Ensure physical access controls are in place and only authorized end-users have access to BD Synapsys™ workstations.
  • Place a reminder at each computer for users to save all work, logout, or lock their workstation when leaving the BD Synapsys™ workstation.
  • Ensure industry standard network security policies and procedures are followed.

Additional Resources

For product- or site-specific concerns, contact your BD service representative.