Intro: In this blog post, we'll be diving into the recent vulnerability (CVE-2022-40263) affecting BD (Becton, Dickinson and Company) Totalys MultiProcessor - a medical device data management system used in hospitals and clinics around the world. Specifically, we will explore the risks posed by hardcoded credentials in versions 1.70 and earlier and discuss potential mitigations for affected customers. Furthermore, we will also outline the additional protections provided to customers using the system on a Microsoft Windows 10 platform.
The Vulnerability: Hardcoded Credentials
BD Totalys MultiProcessor versions 1.70 and earlier contain hardcoded credentials, allowing unauthorized individuals to gain access to sensitive information - including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). The hardcoded credentials are embedded in the system's software and can be exploited by malicious actors who possess knowledge of these credentials.
It's worth mentioning that customers using BD Totalys MultiProcessor version 1.70 with Microsoft Windows 10 have additional operating system hardening configurations which increase the attack complexity required to exploit this vulnerability.
The following code snippet showcases an example of how hardcoded credentials might be exploited by a threat actor:
import requests
url = "http://BD_Totalys_MultiProcessor/login";
credentials = {"username": "hardcoded_username", "password": "hardcoded_password"}
response = requests.post(url, data=credentials)
if response.status_code == 200:
print("Access granted. Obtained sensitive information.")
else:
print("Access denied.")
If a threat actor successfully exploits this vulnerability, they could potentially access, modify or delete sensitive information on the affected systems. This poses a significant risk to the confidentiality, integrity and availability of patient data.
For more information on CVE-2022-40263, please refer to the following sources
1. The National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2022-40263
2. BD's official security advisory: https://www.bd.com/en-us/support/security-advisory/cve-2022-40263
In these sources, you'll find the Common Vulnerability Scoring System (CVSS) scores, affected products, and potential mitigations that can be used by customers to reduce the risks associated with this vulnerability. According to the NVD, this vulnerability has been given a CVSS base score of 7.5, indicating a high level of severity.
Contact the BD service team to receive assistance in addressing the vulnerability.
2. Use network segmentation and firewalls to limit exposure and reduce the number of potential attack vectors.
3. Follow the Principle of Least Privilege (PoLP), ensuring that users only have access to the minimum required information and resources.
4. Regularly monitor system logs and network traffic for signs of unauthorized access or unusual activity.
Additionally, customers should always remain vigilant in ensuring that their software and security measures are up-to-date. This includes monitoring security advisories, patching systems when necessary, and conducting regular security risk assessments.
Conclusion
CVE-2022-40263 is a critical vulnerability affecting BD Totalys MultiProcessor systems due to hardcoded credentials present in versions 1.70 and earlier. It is essential for affected customers to take the necessary steps to mitigate the risks posed by this vulnerability, especially given the sensitive nature of the data handled by these systems. By raising awareness about this vulnerability and implementing BD's recommended mitigations, customers can better protect their systems from potential exploitation and safeguard sensitive patient information.
Timeline
Published on: 11/04/2022 19:15:00 UTC
Last modified on: 11/07/2022 17:37:00 UTC