BD Viper LT™ system – Hardcoded Credentials

Background

This notification provides product security information and recommendations related to the use of hardcoded credentials in BD Viper™ LT system version(s) 2.0 and later. For maximum awareness, BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC).

Products in Scope

  • BD Viper™ LT system – version(s) 2.0 and later

Vulnerability Details

  • CVE-2022-22765 - BD Viper™ LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper™ LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability.

The BD Viper™ LT system provides fully automated, integrated molecular testing on a tabletop analyzer. The system’s hardcoded credentials are not used directly by customers or end-users to access the system. To exploit this vulnerability, a threat actor would need physical or network access to the system and would need to bypass additional security controls.

There have been no reports of this vulnerability being exploited in a clinical setting.

Vulnerability Score

Mitigations and Compensating Controls

BD is working to remediate the hardcoded credentials vulnerability in BD Viper™ LT system and is providing this information to increase awareness. The fix is expected in BD Viper™ LT system version 4.80 software release.

Additionally, BD recommends the following compensating controls for customers using the BD Viper™ LT system that utilize the hardcoded credentials:

  • Ensure physical access controls are in place and only authorized end-users have access to the BD Viper™ LT system.
  • Disconnect the BD Viper™ LT system from network access, where applicable.
  • If the BD Viper™ LT system must be connected to a network, ensure industry standard network security policies and procedures are followed.

Additional Resources

For product- or site-specific concerns, contact your BD service representative.