Last updated: May 15, 2023
Original Publication: October 04, 2022
This notification provides product security information and recommendations related to the use of hardcoded credentials in specific versions of BD Totalys™ MultiProcessor. BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC).
BD has released the following BD Totalys™ MultiProcessor software, which addresses CVE-2022-40263:
BD recommends that customers update to BD Totalys™ MultiProcessor version 1.71 software, where available based on regulatory authorization. For assistance scheduling the remediation, customers should contact their BD account representative.
BD Totalys™ MultiProcessor 1.70 and earlier versions
CVE-2022-40263 - BD Totalys™ MultiProcessor, versions 1.70 and earlier, contain hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). Customers using BD Totalys™ MultiProcessor version 1.70 with Microsoft Windows 10 have additional operating system hardening configurations which increase the attack complexity required to exploit this vulnerability.
The BD Totalys™ MultiProcessor combines full automation of the cell enrichment process for cervical samples, continuous chain of custody and customizable aliquots for ancillary testing. The system’s hardcoded credentials are not used directly by customers or end-users to access the system. To exploit this vulnerability, a threat actor would need physical or network access to the system and would need to bypass additional security controls.
There have been no reports of this vulnerability being exploited in any setting including clinical settings.
CVSS: 6.6 (Medium) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Rationale: The attack surface is limited by the fact that physical access to the BD Totalys™ MultiProcessor instrument or Remote Workstation is necessary for a malicious actor to exploit the vulnerability. A successful attack would involve the threat actor having access to Windows authentication credentials (Remote Workstation) or breaking out of kiosk mode (Instrument) to gain access to the underlying Windows operating system. Any such attack would have high impact to the confidentiality and partial impact to the integrity and availability of the system, including potential access to sensitive information.
BD has assessed this vulnerability for clinical impact and concluded that the probability of an unauthorized physical breach of a BD Totalys™ MultiProcessor instrument or workstation would be negligible because, to be successful, an attacker would have to complete a certain sequence of events in a specific order. However, successful exploitation could lead to modification of ePHI, which could lead to results being associated with the wrong patient. Incorrect patient-slide association could further lead to inappropriate patient management.
BD recommends the following mitigations and compensating controls to reduce risk associated with this vulnerability:
BD is working to remediate the hardcoded credentials vulnerability in BD Totalys™ MultiProcessor and is providing this information to increase awareness. This vulnerability is scheduled to be remediated in the BD Totalys™ MultiProcessor version 1.71 software release expected in the fourth quarter of 2022.
BD Totalys™ MultiProcessor version 1.71 software release is now expected in the first quarter of 2023.
Additionally, BD recommends the following compensating controls for customers using versions of the BD Totalys™ MultiProcessor that utilize hardcoded credentials:
For product- or site-specific concerns, contact your BD service representative