BD Discloses Vulnerabilities in FACSChorus Software
Becton, Dickinson and Company (BD) has recently disclosed seven vulnerabilities in its FACSChorus software. The vulnerabilities are low- to medium-severity with CVSS scores ranging from 2.4 to 5.4. Successful exploitation of the vulnerabilities could allow an attacker to modify system configurations, access sensitive data, or access system components; however, in order to exploit the vulnerabilities an attacker would need to have physical access.
The vulnerabilities, in order of severity, are:
CVE-2023-29060 – Missing protection mechanism for alternate hardware interface – CVSS 5.4
Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1 – The workstation operating system does not restrict what devices can interact with its USB ports. The vulnerability could be exploited with physical access to gain access to system information and potentially exfiltrate data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
CVE-2023-29061 – Missing authentication for critical function – CVSS 5.2
Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1. The workstation has no BIOS password. The vulnerability could be exploited with physical access to change the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication.
CVE-2023-29064 – Hard-coded credentials – CVSS 4.1
Vulnerability is present in BD FACSChorus v5.0 and v5.1. The software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, including tokens and passwords for administrative accounts.
CVE-2023-29065 – Insecure inherited permissions – CVSS 4.1
Vulnerability is present in BD FACSChorus v5.0 and v5.1. The software database can be accessed directly with the privileges of the currently logged-in user. Exploitation would allow a threat actor with physical access to potentially gain credentials, and then alter or destroy data stored in the database.
CVE-2023-29062 – Improper authentication – CVSS 3.8
Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1. The operating system hosting the FACSChorus application is configured to allow the transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. NTLMv2 hashes can be sent to a malicious entity position on the local network and can be brute-forced if a weak password is used.
CVE-2023-29066 – Incorrect privilege assignment – CVSS 3.2
Vulnerability is present in BD FACSChorus v5.0 and v5.1 and the respective workstations. The software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders.
CVE-2023-29063 – Missing protection mechanism for alternate hardware interface – CVSS 2.4
Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1. The workstation does not prevent physical access to its PCI express (PCIe) slots. A threat actor could insert a PCI card designed for memory capture and isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup.
BD notified CISA about the vulnerabilities and confirmed that all 7 of the vulnerabilities will be addressed in an upcoming software release but has suggested mitigations and compensating controls that can be implemented in the interim. These include ensuring physical access controls are in place to restrict access to the software and respective workstations to authorized end users, ensuring industry-standard security controls are implemented if the workstations are connected to the local network, and tightly controlling administrative access to the software and workstations.
