BD FACSLyric (Update A)

MonitorCVSS 6.8ICS-CERT ICSMA-19-029-02Jan 29, 2019

Attack path

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FACSLyric flow cytometry systems running Windows 10 Professional Operating System are vulnerable to privilege escalation due to improper access controls (CWE-284). An attacker with physical access could gain administrative-level privileges and execute arbitrary commands on the instrument control workstation. The vulnerability affects FACSLyric IVD systems (U.S. release) and FACSLyric RUO systems (U.S. and Malaysian releases, November 2017–November 2018). Systems running Windows 7 are not affected. BD is disabling administrative accounts on RUO systems and replacing workstations on IVD systems as remediation.

What this means

What could happen

An attacker with physical access to the FACSLyric workstation could escalate privileges to administrator level and run arbitrary commands, potentially compromising instrument control, data integrity, or allowing malware installation.

Who's at risk

BD FACSLyric flow cytometry systems used in research or in vitro diagnostics (IVD) settings that run Windows 10 Professional Operating System. This affects laboratory technicians, facility managers, and IT staff responsible for laboratory equipment security at research institutions, clinical labs, or diagnostic centers.

How it could be exploited

The vulnerability requires physical access to the workstation. An attacker would exploit a privilege escalation flaw in the Windows 10 Pro operating system configuration on FACSLyric systems to gain administrative-level access and execute arbitrary commands on the instrument control computer.

Prerequisites

Physical access to the FACSLyric workstation
Windows 10 Professional Operating System (specific U.S. release for IVD, or U.S./Malaysian releases between November 2017–November 2018 for RUO)
No user authentication required to trigger the vulnerability

Physical access required (reduces remote risk but increases insider/facility risk)No authentication required for exploitationPrivilege escalation to administrative levelAffects Windows 10 Pro configuration (common in research/diagnostic labs)No patch available for IVD systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 pending

ProductAffected VersionsFix Status

FACSLyric: IVD Windows 10 Professional Operating System U.S. releaseWindows 10 Professional Operating System U.S. releaseNo fix yet

FACSLyric: Research Use Only Windows 10 Professional Operating System U.S. and Malaysian Releases between November 2017 and November 2018Windows 10 Professional Operating System, U.S. and Malaysian Releases, between November 2017 and November 2018No fix yet

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDFor FACSLyric RUO units: Coordinate with BD to have the administrative account disabled on your Windows 10 Pro workstations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXFor FACSLyric IVD units: Schedule replacement of Windows 10 Pro workstations with BD according to their replacement timeline

Long-term hardening

0/1

HARDENINGImplement physical access controls to restrict unauthorized personnel from accessing FACSLyric instrument workstations

CVEs (1)

CVE-2019-6517

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/935de724-0d87-4814-9ae0-2df19661524a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.