Vulnerability Identified in BD Totalys MultiProcessor

The Cybersecurity and Infrastructure Security Agency (CISA) has released a medical alert concerning a recently identified vulnerability that impacts the BD Totalys MultiProcessor, which hospitals and laboratories use for testing clinical tissue samples.

The vulnerability is because of using hard-coded credentials, which may enable an attacker to have access to a vulnerable Totalys MultiProcessor to view, change, or erase sensitive information, which includes personally identifiable information (PII) and protected health information (PHI).

An attacker cannot exploit the vulnerability remotely. To be able to exploit the vulnerability, a malicious actor must have physical access to a BD Totalys MultiProcessor or system access. If there are extra security controls, these must be bypassed.

The vulnerability, monitored as CVE-2022-40263, impacts all BD Totalys MultiProcessor versions which include versions before v1.70, and was given a medium CVSS severity score of 6.6 out of 10.

BD discovered the vulnerability and reported it to CISA following its responsible disclosure policy. According to BD, the vulnerability will be fixed in the next v1.71 software launch, which is anticipated to be accessible to end users in Q4 of 2022. For the time being, BD has recommended mitigations to stop vulnerability exploitation.

End users must be sure there are physical access controls set up to restrict access to the BD Totalys MultiProcessor to authorized persons only. In case the device should be linked to a network, industry-standard security guidelines and procedures must be adopted.

During the release of the alert, there were no known cases of vulnerability exploitation or exploits in the wild.