BD Totalys MultiProcessor

MonitorCVSS 6.6ICS-CERT ICSMA-22-277-01Oct 4, 2022

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

BD Totalys MultiProcessor contains hard-coded credentials that could allow an authenticated local user to access, modify, or delete sensitive information including electronic protected health information (ePHI), protected health information (PHI), and personally identifiable information (PII). The vulnerability affects all versions up to and including 1.70. BD has scheduled a fix for version 1.71 expected in Q4 2022. The vulnerability is not remotely exploitable and requires local or physical access plus valid credentials.

What this means

What could happen

An attacker with local access and valid credentials could access, modify, or delete sensitive patient health information and other protected data stored on the device.

Who's at risk

Hospital laboratory and pathology departments using BD Totalys MultiProcessor analyzers, especially those with network connectivity or shared access among lab technicians. Organizations handling ePHI and PHI are at risk if the device is not physically secured.

How it could be exploited

An attacker with physical or local network access must obtain valid credentials (hard-coded in the software). Once authenticated, they can access the device's file system and retrieve, alter, or destroy protected health information (ePHI, PHI, PII).

Prerequisites

Local or physical access to the BD Totalys MultiProcessor
Valid user credentials (hard-coded in firmware)
No remote exploitation possible

Hard-coded credentials in firmwareNo patch currently available (fix pending Q4 2022)Affects health information systems storing PHI/ePHILocal/physical access required (lowers remote risk but increases insider threat risk)

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

BD Totalys MultiProcessor: All≤ 1.701.71

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement strict physical access controls—restrict access to the device to authorized personnel only

HARDENINGIf network connection is required, apply industry-standard network security policies and firewall rules to isolate the device

WORKAROUNDChange or disable hard-coded default credentials if vendor procedures allow

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to BD Totalys MultiProcessor version 1.71 or later when available (expected Q4 2022)

CVEs (1)

CVE-2022-40263

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/568a2f92-2a76-4ae1-90f7-87ddbb065938

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.