BD Viper LT

Plan Patch8ICS-CERT ICSMA-22-062-02Mar 3, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

BD Viper LT system versions 2.0 and later contain hard-coded credentials that could allow an attacker with physical access to the device to access, modify, or delete sensitive laboratory data and information. The vulnerability is not remotely exploitable. BD is working on a fix expected in Version 4.80. Until a patch is available, compensating controls such as physical access restrictions, network isolation, and standard network security policies are recommended.

What this means

What could happen

An attacker with physical access to a BD Viper LT system could use hard-coded credentials to access, modify, or delete sensitive patient or laboratory data stored on the device.

Who's at risk

Clinical and diagnostic laboratories using BD Viper LT automated laboratory systems should be concerned. This impacts any facility that relies on the Viper LT for specimen processing or test result data management.

How it could be exploited

An attacker with physical access to the BD Viper LT system can obtain hard-coded credentials from the device documentation or through reverse engineering, then use these credentials to log in locally and access the system's data and functions.

Prerequisites

Physical access to the BD Viper LT system
Knowledge of hard-coded credentials (documented or recoverable from device)

Hard-coded credentials presentNo patch currently availableAffects data confidentiality and integrityNo authentication required if physical access obtained

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

BD Viper LT system: All≥ 2.04.80

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict physical access to BD Viper LT systems - ensure only authorized personnel can physically access the device

WORKAROUNDDisconnect BD Viper LT systems from network access if not required for operations

HARDENINGIf network connection is required, enforce network security policies including access control lists and firewall rules to limit which systems and users can reach the device

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate to BD Viper LT Version 4.80 or later when available

CVEs (1)

CVE-2022-22765

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/98cc4a3c-d316-4228-ba6e-875a4c407ffd