CVE-2023-29060: BD FACSChorus Vulnerabilities - Software and Workstation

BD is authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA) by the CVE® Program. As a CNA, BD is authorized to assign CVE identification numbers to newly discovered vulnerabilities in its software-enabled products, which includes using the Common Weakness Enumeration (CWE™) system to classify vulnerability types and applying the Common Vulnerability Scoring System (CVSS) to communicate vulnerability characteristics and severity.

BD has received no reports of these vulnerabilities being exploited.

BD assigned the following CVSS score to these vulnerabilities:

****1. CVE-2023-29060 – Lack of USB Whitelisting****

Vulnerability Description: The FACSChorus™ workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data.

CVSS: 5.4 (Medium) CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Rationale: The attack vector is physical, as the attacker must be present at the workstation. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other external components of the system. Impact to confidentiality and integrity is low, as there is no sensitive data stored on the workstation. The impact to availability is high as user access to the workstation can be disabled.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the BD-sponsored Biohacking Village hosted at DEF CON 31.

****2. CVE-2023-29061 – Lack of Adequate BIOS Authentication****

Vulnerability Description: There is no BIOS password on the FACSChorus™ workstation. A threat actor with physical access to the workstation can potentially exploit this vulnerability to access the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication.

CVSS: 5.2 (Medium) CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Rationale: The attack vector is physical, as the attacker must be present at the workstation. The complexity of the attack is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other external components of the system. There is no impact to confidentiality because there is no sensitive data stored on the workstation. There is low impact to integrity because the threat actor cannot modify system information on the local drive. The impact to availability is high as the workstation boot process can be disabled.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the BD-sponsored Biohacking Village hosted at DEF CON 31.

****3. CVE-2023-29062 - Unsecure Identity Verification****

Vulnerability Description: The Operating System hosting the FACSChorus application is configured to allow transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. This is possible through the use of LLMNR, MBT-NS, or MDNS and will result in NTLMv2 hashes being sent to a malicious entity position on the local network. These hashes can subsequently be attacked through brute force and cracked if a weak password is used. This attack would only apply to domain joined systems.

CVSS: 3.8 (Low) CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Rationale: An attacker must have access to the system’s local network in order for the target to transact with the attack server. The complexity of the attack is low as once network access is attained the attack is repeatable and straightforward. No additional privileges are required to the system, but a successful attack relies on a user to issue a network request on the target system. Because this attack relies on user domain credentials, this compromise could affect access to other systems connected to the same domain, therefore scope is changed. The impact of this attack involves only confidentiality as only a single user’s credentials are involved. There is no inherent impact to integrity and availability.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the BD-sponsored Biohacking Village hosted at DEF CON 31.

****4. CVE-2023-29063 – Lack of DMA Access Protections****

Vulnerability Description: The FACSChorus™ workstation does not prevent physical access to its PCI express (PCIe) slots, which could allow a threat actor to insert a PCI card designed for memory capture. A threat actor can then isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup.

CVSS: 2.4 (Low) CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Rationale: The attack vector is physical, as the attacker must be able to access the workstation’s internal PCI bus. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other components of the system. The impact to confidentiality is low because the information captured during the OS boot would not contain sensitive data. There is no impact to the integrity and availability of the workstation, as the data capture does not modify the OS and would not disable the workstation.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the Biohacking Village hosted at DEF CON 31.

****5. CVE-2023-29064 – Hardcoded Secrets****

Vulnerability Description: The FACSChorus™ software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts.

CVSS: 4.1 (Medium) CVSS:3.1AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Rationale: The attack vector is physical as the attacker must be present at the workstation. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other external components of the system. Due to the nature of the data contained within the application, the overall impact to data confidentiality is low. Impacts to data integrity and availability are mitigated when backup and restore controls are followed, thus remaining low.

****6. CVE-2023-29065 – Overly Permissive Access Policy****

Vulnerability Description: The FACSChorus™ software database can be accessed directly with the privileges of the currently logged-in user. A threat actor with physical access could potentially gain credentials, which could be used to alter or destroy data stored in the database.

CVSS: 4.1 (Medium) CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Rationale: The attack vector is physical, as the attacker must be present at the workstation. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other components of the system. The impact to confidentiality, integrity and availability is low because no sensitive data is stored on the workstation.

****7. CVE-2023-29066 – Incorrect User Management****

Vulnerability Description: The FACSChorus™ software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders.

CVSS: 3.2 (Low) CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Rationale: The attack vector is physical, as the OS is hardened to prevent remote desktop access. Attack complexity is low, and end-user interaction is not required. If exploited, a threat actor with standard OS user access could move or delete files that contain experiment data. FACSChorus™ data does not contain confidential information, so there is no impact to confidentiality. The impact to integrity and availability is low, as the loss of experiment data would not affect the operation of FACSChorus™ software or the workstation.

This vulnerability was reported to BD by security researcher Milind Sunilbhai Purswani during the BD-sponsored Biohacking Village at DEF CON 31.