1. EXECUTIVE SUMMARY
- CVSS v3 5.4
- ATTENTION: Low attack complexity
- Vendor: Becton, Dickinson and Company (BD)
- Equipment: FACSChorus
- Vulnerabilities: Missing Protection Mechanism for Alternate Hardware Interface, Missing Authentication for Critical Function, Improper Authentication, Use of Hard-coded Credentials, Insecure Inherited Permissions,
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker with physical access to the device to modify system configurations, obtain access to sensitive information, or access components of the system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following BD products are affected:
- BD FACSChorus (HP Z2 G9 workstation, shipped with FACSDiscover S8 Cell Sorter): v5.0 and v5.1
- BD FACSChorus (HP Z2 G5 workstation, shipped with FACSMelody Cell Sorter): v3.0 and v3.1
3.2 Vulnerability Overview
3.2.1 MISSING PROTECTION MECHANISM FOR ALTERNATE HARDWARE INTERFACE CWE-1299
In BD FACSChorus v5.0, v5.1, v3.0, and v3.1, the respective workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data.
CVE-2023-29060 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H).
3.2.2 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
In the BD FACSChorus v5.0, v5.1, v3.0, and v3.1 workstation, there is no BIOS password. A threat actor with physical access to the workst
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: