BD Viper LT™ system – Hardcoded Credentials

United States
North America

Canada (FR)

Canada (EN)

Mexico

United States

South America

Argentina

Brasil

Chile

Colombia
Europe

Belgium (FR)

Belgium (NL)

Česká republika

Denmark

Europe

Suomi

France

Deutschland

Hebrew

Hungary (EN)

Hungary (HU)

Ireland

Italia

Nederland

Norge

Polska

Россия

España

Sverige

Schweiz

Türkiye

United Kingdom
Middle East / Africa

Middle East, North Africa

Africa

Asia / Pacific

Australia / New Zealand

中国

Greater Asia

India

Indonesia

日本

Korea

Malaysia

Philippines

Singapore

Thailand

Vietnam
Login

Feb 11, 2022

Bulletins

HIGH

This notification provides product security information and recommendations related to the use of hardcoded credentials in BD Viper™ LT system version(s) 2.0 and later. For maximum awareness, BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC).

BD Viper™ LT system – version(s) 2.0 and later

CVE-2022-22765 - BD Viper™ LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper™ LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability.

The BD Viper™ LT system provides fully automated, integrated molecular testing on a tabletop analyzer. The system’s hardcoded credentials are not used directly by customers or end-users to access the system. To exploit this vulnerability, a threat actor would need physical or network access to the system and would need to bypass additional security controls.

There have been no reports of this vulnerability being exploited in a clinical setting.

CVSS: 8.0 (High) CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

BD is working to remediate the hardcoded credentials vulnerability in BD Viper™ LT system and is providing this information to increase awareness. The fix is expected in BD Viper™ LT system version 4.80 software release.

Additionally, BD recommends the following compensating controls for customers using the BD Viper™ LT system that utilize the hardcoded credentials:

Ensure physical access controls are in place and only authorized end-users have access to the BD Viper™ LT system.
Disconnect the BD Viper™ LT system from network access, where applicable.
If the BD Viper™ LT system must be connected to a network, ensure industry standard network security policies and procedures are followed.

For product- or site-specific concerns, contact your BD service representative.