Headline
CVE-2022-22765: BD Viper LT<sup>™</sup> system – Hardcoded Credentials
BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability.
Cybersecurity
About us
Trust center
Bulletins and patches
Vulnerability disclosures
Helpful resources
BD Viper LT™ system – Hardcoded Credentials
« Back to results
Bulletin high
February 04, 2022
This notification provides product security information and recommendations related to the use of hardcoded credentials in BD Viper™ LT system version(s) 2.0 and later. For maximum awareness, BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC).
Products in Scope
- BD Viper™ LT system – version(s) 2.0 and later
Vulnerability Details
- CVE-2022-22765 - BD Viper™ LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper™ LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability.
The BD Viper™ LT system provides fully automated, integrated molecular testing on a tabletop analyzer. The system’s hardcoded credentials are not used directly by customers or end-users to access the system. To exploit this vulnerability, a threat actor would need physical or network access to the system and would need to bypass additional security controls.
There have been no reports of this vulnerability being exploited in a clinical setting.
Vulnerability Score
- CVSS: 8.0 (High) CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Mitigations and Compensating Controls
BD is working to remediate the hardcoded credentials vulnerability in BD Viper™ LT system and is providing this information to increase awareness. The fix is expected in BD Viper™ LT system version 4.80 software release.
Additionally, BD recommends the following compensating controls for customers using the BD Viper™ LT system that utilize the hardcoded credentials:
- Ensure physical access controls are in place and only authorized end-users have access to the BD Viper™ LT system.
- Disconnect the BD Viper™ LT system from network access, where applicable.
- If the BD Viper™ LT system must be connected to a network, ensure industry standard network security policies and procedures are followed.
Additional Resources
For product- or site-specific concerns, contact your BD service representative.
Company
- Contact us
- BD code of conduct
- Careers
- Inclusion and diversity
- Sustainability
- Suppliers
- News
- Investors
- Video gallery
- External funding program
Support
- Technical support
- Product security and privacy
- Live chat
- Order status
- Customer portals
- Alerts and notices
- Electronic instructions for use
- COVID-19