BD Totalys™ MultiProcessor-Hardcoded Credentials

United States
North America

Canada (EN)

Canada (FR)

United States

South America

América Latina (ES)

América Latina (PT)
Europe

Belgique

België

Česká republika

Deutschland

España

France

Israel

Italia

Nederland

Nordics

Österreich

Polska

Schweiz

United Kingdom
Middle East, North Africa, Turkey

Middle East, North Africa, Turkey

South Africa

Asia Pacific

Australia & New Zealand

中国

Greater Asia

India

日本

대한민국

Southeast Asia
Login

true

Bulletin and Patches

BD Totalys™ MultiProcessor - Hardcoded Credentials

May 15, 2023

Bulletins

MEDIUM

Last updated: May 15, 2023

Original Publication: October 04, 2022

This notification provides product security information and recommendations related to the use of hardcoded credentials in specific versions of BD Totalys™ MultiProcessor. BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC).

BEGIN UPDATE B: May 15, 2023

BD has released the following BD Totalys™ MultiProcessor software, which addresses CVE-2022-40263:

BD Totalys™ MultiProcessor version 1.71 software

BD recommends that customers update to BD Totalys™ MultiProcessor version 1.71 software, where available based on regulatory authorization. For assistance scheduling the remediation, customers should contact their BD account representative.

Prequisites:

BD Totalys™ MultiProcessor is installed on Microsoft Windows 10 Operating System

END UPDATE B: May 15, 2023

BD Totalys™ MultiProcessor 1.70 and earlier versions

CVE-2022-40263 - BD Totalys™ MultiProcessor, versions 1.70 and earlier, contain hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). Customers using BD Totalys™ MultiProcessor version 1.70 with Microsoft Windows 10 have additional operating system hardening configurations which increase the attack complexity required to exploit this vulnerability.

The BD Totalys™ MultiProcessor combines full automation of the cell enrichment process for cervical samples, continuous chain of custody and customizable aliquots for ancillary testing. The system’s hardcoded credentials are not used directly by customers or end-users to access the system. To exploit this vulnerability, a threat actor would need physical or network access to the system and would need to bypass additional security controls.

There have been no reports of this vulnerability being exploited in any setting including clinical settings.

CVSS: 6.6 (Medium) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Rationale: The attack surface is limited by the fact that physical access to the BD Totalys™ MultiProcessor instrument or Remote Workstation is necessary for a malicious actor to exploit the vulnerability. A successful attack would involve the threat actor having access to Windows authentication credentials (Remote Workstation) or breaking out of kiosk mode (Instrument) to gain access to the underlying Windows operating system. Any such attack would have high impact to the confidentiality and partial impact to the integrity and availability of the system, including potential access to sensitive information.

BD has assessed this vulnerability for clinical impact and concluded that the probability of an unauthorized physical breach of a BD Totalys™ MultiProcessor instrument or workstation would be negligible because, to be successful, an attacker would have to complete a certain sequence of events in a specific order. However, successful exploitation could lead to modification of ePHI, which could lead to results being associated with the wrong patient. Incorrect patient-slide association could further lead to inappropriate patient management.

BD recommends the following mitigations and compensating controls to reduce risk associated with this vulnerability:

BD is working to remediate the hardcoded credentials vulnerability in BD Totalys™ MultiProcessor and is providing this information to increase awareness. This vulnerability is scheduled to be remediated in the BD Totalys™ MultiProcessor version 1.71 software release expected in the fourth quarter of 2022.

BEGIN UPDATE A: Jan 12, 2023

BD Totalys™ MultiProcessor version 1.71 software release is now expected in the first quarter of 2023.

END UPDATE A: Jan 12, 2023

Additionally, BD recommends the following compensating controls for customers using versions of the BD Totalys™ MultiProcessor that utilize hardcoded credentials:

Ensure physical access controls are in place and only authorized end-users have access to the BD Totalys™ MultiProcessor.
If the BD Totalys™ MultiProcessor must be connected to a network, ensure industry standard network security policies and procedures are followed.

For product- or site-specific concerns, contact your BD service representative

true