true
BD Totalys™ MultiProcessor - Hardcoded Credentials

Background

Last updated: May 15, 2023

Original Publication: October 04, 2022

This notification provides product security information and recommendations related to the use of hardcoded credentials in specific versions of BD Totalys™ MultiProcessor. BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC).

Remediation

BEGIN UPDATE B: May 15, 2023

BD has released the following BD Totalys™ MultiProcessor software, which addresses CVE-2022-40263:

  • BD Totalys™ MultiProcessor version 1.71 software

 

BD recommends that customers update to BD Totalys™ MultiProcessor version 1.71 software, where available based on regulatory authorization. For assistance scheduling the remediation, customers should contact their BD account representative. 

Prequisites:

  • BD Totalys™ MultiProcessor is installed on Microsoft Windows 10 Operating System

 

END UPDATE B: May 15, 2023

Products in Scope

BD Totalys™ MultiProcessor 1.70 and earlier versions

Vulnerability Details

CVE-2022-40263 - BD Totalys™ MultiProcessor, versions 1.70 and earlier, contain hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). Customers using BD Totalys™ MultiProcessor version 1.70 with Microsoft Windows 10 have additional operating system hardening configurations which increase the attack complexity required to exploit this vulnerability.

The BD Totalys™ MultiProcessor combines full automation of the cell enrichment process for cervical samples, continuous chain of custody and customizable aliquots for ancillary testing. The system’s hardcoded credentials are not used directly by customers or end-users to access the system. To exploit this vulnerability, a threat actor would need physical or network access to the system and would need to bypass additional security controls.

There have been no reports of this vulnerability being exploited in any setting including clinical settings.

Vulnerability Score

CVSS: 6.6 (Medium) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Rationale: The attack surface is limited by the fact that physical access to the BD Totalys™ MultiProcessor instrument or Remote Workstation is necessary for a malicious actor to exploit the vulnerability. A successful attack would involve the threat actor having access to Windows authentication credentials (Remote Workstation) or breaking out of kiosk mode (Instrument) to gain access to the underlying Windows operating system. Any such attack would have high impact to the confidentiality and partial impact to the integrity and availability of the system, including potential access to sensitive information.

Clinical Risk Assessment and Patient Safety Impact

BD has assessed this vulnerability for clinical impact and concluded that the probability of an unauthorized physical breach of a BD Totalys™ MultiProcessor instrument or workstation would be negligible because, to be successful, an attacker would have to complete a certain sequence of events in a specific order. However, successful exploitation could lead to modification of ePHI, which could lead to results being associated with the wrong patient. Incorrect patient-slide association could further lead to inappropriate patient management.

Mitigations & Compensating Controls

BD recommends the following mitigations and compensating controls to reduce risk associated with this vulnerability:

BD is working to remediate the hardcoded credentials vulnerability in BD Totalys™ MultiProcessor and is providing this information to increase awareness. This vulnerability is scheduled to be remediated in the BD Totalys™ MultiProcessor version 1.71 software release expected in the fourth quarter of 2022.

BEGIN UPDATE A: Jan 12, 2023

BD Totalys™ MultiProcessor version 1.71 software release is now expected in the first quarter of 2023.

END UPDATE A: Jan 12, 2023

Additionally, BD recommends the following compensating controls for customers using versions of the BD Totalys™ MultiProcessor that utilize hardcoded credentials:

  • Ensure physical access controls are in place and only authorized end-users have access to the BD Totalys™ MultiProcessor.
  • If the BD Totalys™ MultiProcessor must be connected to a network, ensure industry standard network security policies and procedures are followed.

Additional Resources

For product- or site-specific concerns, contact your BD service representative