The Cybersecurity and Infrastructure Security Agency (CISA) has issued a medical advisory about a recently discovered vulnerability that affects the BD Totalys MultiProcessor, which is used by hospitals and labs for processing clinical tissue specimens.
The vulnerability is due to the use of hard-coded credentials, which could allow an attacker with access to a vulnerable Totalys MultiProcessor to access, modify, or delete sensitive data, including personally identifiable and protected health information.
The vulnerability cannot be exploited remotely. In order to exploit the flaw, a malicious actor would need physical access to the BD Totalys MultiProcessor or network access to the system. Any additional security controls would also need to be bypassed.
The vulnerability, tracked as CVE-2022-40263, affects all BD Totalys MultiProcessor versions including and prior to v1.70, and has been assigned a CVSS severity score of 6.6 out of 10 (medium severity).
The vulnerability was discovered by BD and was reported to CISA under its responsible disclosure policy. BD says the vulnerability is due to be remediated in the upcoming v1.71 software release, which is expected to be made available to users in Q4, 2022. In the meantime, BD has suggested mitigations to prevent exploitation of the vulnerability.
Users should ensure physical access controls are in place to ensure access to the BD Totalys MultiProcessor is restricted to authorized individuals. If the device must be networked, industry standard security policies and procedures should be followed.
At the time of issuing the alert, there have been no cases of exploitation of the flaw and there are no known exploits in the public domain.
The post Advisory Issued About BD Totalys MultiProcessor Vulnerability appeared first on HIPAA Journal.