Default Credentials – BD Diagnostic Solutions Products

United States
North America

Canada (EN)

Canada (FR)

United States

South America

América Latina (ES)

América Latina (PT)
Europe

Belgique

België

Česká republika

Deutschland

España

France

Israel

Italia

Nederland

Nordics

Österreich

Polska

Schweiz

United Kingdom
Middle East, North Africa, Turkey

Middle East, North Africa, Turkey

South Africa

Asia Pacific

Australia & New Zealand

中国

Greater Asia

India

日本

대한민국

Southeast Asia
Login

true

Bulletin and Patches

Dec 17, 2024

Bulletins

HIGH

BD communicates with our customers about cybersecurity vulnerabilities to help healthcare providers manage potential risks through awareness and guidance.

This notification provides product security information and recommendations related to a default credential security vulnerability found within specific BD Diagnostic Solutions products.

As a routine practice, BD has shared this vulnerability with the U.S. Food and Drug Administration (FDA), the U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates.

This notification applies to:

BD BACTEC™ Blood Culture System
BD COR™ System
BD EpiCenter™ Microbiology Data Management System
BD MAX™ System
BD Phoenix™ M50 Automated Microbiology System
BD Synapsys™ Informatics Solution*

*Note: BD Synapsys™ Informatics Solution is only in scope of this vulnerability when installed on a NUC server. BD Synapsys™ Informatics Solution installed on a customer-provided virtual machine or on the BD Kiestra™ SCU hardware is not in scope.

CVE-2024-10476 – Default credentials in specific BD Diagnostics Solutions Products – Default credentials are used in the above listed BD Diagnostic Solutions products. If exploited, threat actors may be able to access, modify or delete data, including sensitive information such as protected health information (PHI) and personally identifiable information (PII). Exploitation of this vulnerability may allow an attacker to shut down or otherwise impact the availability of the system.

The BD Diagnostic Solutions products’ default credentials are intended for use by BD technical support teams for the above-mentioned BD products within the clinical setting. A threat actor would have to compromise your local network and, in some cases, may also need to be physically present at the instrument in order to use these product service credentials.

The BD RSS platform has not been impacted by and is not in scope of this vulnerability.

To date, BD has not been made aware of any unauthorized use of these product service credentials and has received no reports of these credentials being used for unauthorized access to any BD device.

BD is authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA) by the CVE^® Program. As a CNA, BD is authorized to assign CVE identification numbers to newly discovered vulnerabilities in its software-enabled products, which includes using the Common Weakness Enumeration (CWE™) system to classify vulnerability types and applying the Common Vulnerability Scoring System (CVSS) to communicate vulnerability characteristics and severity.

CVSS: 8.0 (High) CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Rationale: A threat actor could exploit this vulnerability through access to an adjacent network within the clinical setting and, in some cases, may also need to be physically present at the instrument. The attack complexity is low and there are no specialized privileges or user interaction required. The scope would be unchanged. There is a high impact to confidentiality, integrity and availability.

Unauthorized access to BD instruments/systems could be used to disable instruments, corrupt or expose instrument/system databases or modify diagnostic test results. An instrument disablement can delay appropriate diagnosis and treatment. Data corruption or results tampering (where results may either be falsely positive or falsely negative) could cause incorrect diagnosis and inappropriate or absent treatment.

To date, there have been no complaints/adverse events worldwide related to this vulnerability.

BD has already communicated to customers with affected products and is working with them to update default credentials on affected products. For this vulnerability to be exploited, a threat actor will need direct access, whether logical or physical, into the clinical setting. It is recommended that customers follow best practices for maintaining strong security controls around the logical and physical environments where Diagnostic Solutions instruments are located, including:

Ensure access to potentially vulnerable devices is limited to authorized personnel
Inform authorized users of issue, and ensure all relevant passwords are tightly controlled
Monitor and log network traffic attempting to reach medical device management environments for suspicious activity
Where possible, isolate affected devices in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed
Impacted devices do not require use of RDP ports and these should be disabled or blocked if enabled
Ensure permissions on file shares are appropriately established and enforced, and monitor and log access for evidence of suspicious activity
Disconnect devices from the network if connectivity is not necessary

For product- or site-specific concerns, contact your BD service representative.

true