OTPulse
FeedAboutContact

BD Synapsys

Monitor5.7ICS-CERT ICSMA-22-151-02May 31, 2022
Attack VectorPhysical
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

BD Synapsys versions 4.20, 4.20 SR1, and 4.30 contain an improper session management vulnerability that could allow an attacker with physical access to an unattended workstation to access, modify, or delete sensitive patient health information (ePHI/PHI) and personally identifiable information (PII). The vulnerability is not remotely exploitable and requires an attacker to physically interact with an unlocked or logged-in workstation.

What this means
What could happen
An attacker with physical access to an unattended BD Synapsys workstation could access, modify, or delete sensitive patient health information and other protected data due to improper session management.
Who's at risk
Healthcare organizations using BD Synapsys for patient data management, including hospitals, clinics, and laboratory information systems. This affects any facility that relies on BD Synapsys workstations to access, store, or process patient health records.
How it could be exploited
An attacker must have physical access to a BD Synapsys workstation and social engineering to trick a user into leaving their session unlocked or logged in. The attacker can then interact with the workstation directly to access or manipulate sensitive ePHI/PHI/PII stored in the system.
Prerequisites
  • Physical access to BD Synapsys workstation
  • User session left active or unattended
  • Workstation not locked or logged out
Affects sensitive health information systemsRequires physical access to exploitationDefault session timeout may allow prolonged access
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
BD Synapsys:4.20 | 4.20 SR1 | 4.305.10
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDConfigure operating system inactivity session timeout to match BD Synapsys session expiration timeout
HARDENINGDisplay user reminders at each workstation to save work, logout, or lock the workstation when leaving
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade BD Synapsys to version 5.10 or later
Long-term hardening
0/2
HARDENINGImplement physical access controls to restrict unauthorized personnel from entering areas with BD Synapsys workstations
HARDENINGEnsure network security policies and procedures follow industry standards
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/17bdd371-71b8-438f-9024-db99f6a190e6
BD Synapsys | CVSS 5.7 - OTPulse