true
BD FACSChorus Vulnerabilities - Software and Workstation

Background

BD communicates with our customers about cybersecurity vulnerabilities to help healthcare providers and researchers manage potential risks through awareness and guidance.

This notification provides product security information and recommendations related to security vulnerabilities within specific versions of the BD FACSChorus™ software and workstation.

As a routine practice, BD has voluntarily shared this vulnerability with the U.S. Food and Drug Administration (FDA), the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates. Read Coordinated Vulnerability Disclosure to learn more about our disclosure process.

The vulnerabilities in this bulletin were discovered through routine internal security testing, which is part of our software development life cycle, and through partnership with security researchers during the Biohacking Village at DEF CON 31, an event that BD sponsors and participates in that brings medical device manufacturers and security researchers together to strengthen medical device security.

Products in Scope

This notification applies to:

  • BD FACSChorus™ v5.0 and v5.1 with the HP Z2 G9 workstation, which is shipped with the BD FACSDiscover™ S8 Cell Sorter.
  • BD FACSChorus™ v3.0 and v3.1 with the HP Z2 G5 workstation, which is shipped with the BD FACSMelody™ Cell Sorter.

 

These vulnerabilities impact the BD FACSChorus™ v5.0, v5.1, v3.0, and v3.1 and their workstations. None of the vulnerabilities in this bulletin impact the operation or instrument functionality of the BD FACSDiscover™ S8 Cell Sorter or the BD FACSMelody™ Cell Sorter.

Associated CVEs in Scope and CVSS Severity

  • BD FACSChorus™ v5.0, v5.1, v3.0, and v3.1 and the respective workstations
    • CVE-2023-29060 – Lack of USB Whitelisting (Medium)
    • CVE-2023-29061 – Lack of Adequate BIOS Authentication (Medium)
    • CVE-2023-29062 – Unsecure Identity Verification (Low)
    • CVE-2023-29063 – Lack of DMA Access Protection (Low)
 
  •  Only BD FACSChorus™ v5.0 and v5.1 and the respective workstations
    • CVE-2023-29064 – Hardcoded Secrets (Medium)
    • CVE-2023-29065 – Overly Permissive Access Policy (Medium)
    • CVE-2023-29066 – Incorrect User Management (Low)

Vulnerability Details

BD is authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA) by the CVE® Program. As a CNA, BD is authorized to assign CVE identification numbers to newly discovered vulnerabilities in its software-enabled products, which includes using the Common Weakness Enumeration (CWE™) system to classify vulnerability types and applying the Common Vulnerability Scoring System (CVSS) to communicate vulnerability characteristics and severity.

BD has received no reports of these vulnerabilities being exploited.

BD assigned the following CVSS score to these vulnerabilities:

1. CVE-2023-29060 – Lack of USB Whitelisting

Vulnerability Description: The FACSChorus™ workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data.

CVSS: 5.4 (Medium) CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Rationale: The attack vector is physical, as the attacker must be present at the workstation. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other external components of the system. Impact to confidentiality and integrity is low, as there is no sensitive data stored on the workstation. The impact to availability is high as user access to the workstation can be disabled.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the BD-sponsored Biohacking Village hosted at DEF CON 31.

2. CVE-2023-29061 – Lack of Adequate BIOS Authentication

Vulnerability Description: There is no BIOS password on the FACSChorus™ workstation. A threat actor with physical access to the workstation can potentially exploit this vulnerability to access the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication.

CVSS: 5.2 (Medium) CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Rationale: The attack vector is physical, as the attacker must be present at the workstation. The complexity of the attack is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other external components of the system. There is no impact to confidentiality because there is no sensitive data stored on the workstation. There is low impact to integrity because the threat actor cannot modify system information on the local drive. The impact to availability is high as the workstation boot process can be disabled.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the BD-sponsored Biohacking Village hosted at DEF CON 31.

3. CVE-2023-29062 - Unsecure Identity Verification

Vulnerability Description: The Operating System hosting the FACSChorus application is configured to allow transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. This is possible through the use of LLMNR, MBT-NS, or MDNS and will result in NTLMv2 hashes being sent to a malicious entity position on the local network. These hashes can subsequently be attacked through brute force and cracked if a weak password is used. This attack would only apply to domain joined systems.

CVSS: 3.8 (Low) CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Rationale: An attacker must have access to the system's local network in order for the target to transact with the attack server. The complexity of the attack is low as once network access is attained the attack is repeatable and straightforward. No additional privileges are required to the system, but a successful attack relies on a user to issue a network request on the target system. Because this attack relies on user domain credentials, this compromise could affect access to other systems connected to the same domain, therefore scope is changed. The impact of this attack involves only confidentiality as only a single user's credentials are involved. There is no inherent impact to integrity and availability.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the BD-sponsored Biohacking Village hosted at DEF CON 31.

4. CVE-2023-29063 – Lack of DMA Access Protections

Vulnerability Description: The FACSChorus™ workstation does not prevent physical access to its PCI express (PCIe) slots, which could allow a threat actor to insert a PCI card designed for memory capture. A threat actor can then isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup.

CVSS: 2.4 (Low) CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Rationale: The attack vector is physical, as the attacker must be able to access the workstation's internal PCI bus. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other components of the system. The impact to confidentiality is low because the information captured during the OS boot would not contain sensitive data. There is no impact to the integrity and availability of the workstation, as the data capture does not modify the OS and would not disable the workstation.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the Biohacking Village hosted at DEF CON 31.

5. CVE-2023-29064 – Hardcoded Secrets

Vulnerability Description: The FACSChorus™ software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts.

CVSS: 4.1 (Medium) CVSS:3.1AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Rationale: The attack vector is physical as the attacker must be present at the workstation. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other external components of the system. Due to the nature of the data contained within the application, the overall impact to data confidentiality is low. Impacts to data integrity and availability are mitigated when backup and restore controls are followed, thus remaining low.

6. CVE-2023-29065 – Overly Permissive Access Policy

Vulnerability Description: The FACSChorus™ software database can be accessed directly with the privileges of the currently logged-in user. A threat actor with physical access could potentially gain credentials, which could be used to alter or destroy data stored in the database.

CVSS: 4.1 (Medium) CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Rationale: The attack vector is physical, as the attacker must be present at the workstation. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other components of the system. The impact to confidentiality, integrity and availability is low because no sensitive data is stored on the workstation.

7. CVE-2023-29066 – Incorrect User Management

Vulnerability Description: The FACSChorus™ software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders.

CVSS: 3.2 (Low) CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Rationale: The attack vector is physical, as the OS is hardened to prevent remote desktop access. Attack complexity is low, and end-user interaction is not required. If exploited, a threat actor with standard OS user access could move or delete files that contain experiment data. FACSChorus™ data does not contain confidential information, so there is no impact to confidentiality. The impact to integrity and availability is low, as the loss of experiment data would not affect the operation of FACSChorus™ software or the workstation.

This vulnerability was reported to BD by security researcher Milind Sunilbhai Purswani during the BD-sponsored Biohacking Village at DEF CON 31.

Patient Safety Assessment

The BD FACSChorus™ v5.0, v5.1, v3.0, and v3.1 and the respective workstations are designed for Research Use Only (RUO) and are not cleared for use in a clinical care environment/application. Therefore, there is no impact to patient safety.

Mitigations & Compensating Controls

Vulnerabilities associated with the BD FACSChorus™ software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:

  • Ensure physical access controls are in place and only authorized end-users have access to the BD FACSChorus™ Software and respective workstation.
  • If the BD FACSChorus™ workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.
  • Administrative access to the FACSChorus™ software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.

Additional Resources

For product- or site-specific concerns, contact your BD service representative.