OTPulse
FeedAboutContact

BD Totalys MultiProcessor

Monitor6.6ICS-CERT ICSMA-22-277-01Oct 4, 2022
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

BD Totalys MultiProcessor contains hard-coded credentials that could allow an authenticated local user to access, modify, or delete sensitive information including electronic protected health information (ePHI), protected health information (PHI), and personally identifiable information (PII). The vulnerability affects all versions up to and including 1.70. BD has scheduled a fix for version 1.71 expected in Q4 2022. The vulnerability is not remotely exploitable and requires local or physical access plus valid credentials.

What this means
What could happen
An attacker with local access and valid credentials could access, modify, or delete sensitive patient health information and other protected data stored on the device.
Who's at risk
Hospital laboratory and pathology departments using BD Totalys MultiProcessor analyzers, especially those with network connectivity or shared access among lab technicians. Organizations handling ePHI and PHI are at risk if the device is not physically secured.
How it could be exploited
An attacker with physical or local network access must obtain valid credentials (hard-coded in the software). Once authenticated, they can access the device's file system and retrieve, alter, or destroy protected health information (ePHI, PHI, PII).
Prerequisites
  • Local or physical access to the BD Totalys MultiProcessor
  • Valid user credentials (hard-coded in firmware)
  • No remote exploitation possible
Hard-coded credentials in firmwareNo patch currently available (fix pending Q4 2022)Affects health information systems storing PHI/ePHILocal/physical access required (lowers remote risk but increases insider threat risk)
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
BD Totalys MultiProcessor: All≤ 1.701.71
Remediation & Mitigation
0/4
Do now
0/3
HARDENINGImplement strict physical access controls—restrict access to the device to authorized personnel only
HARDENINGIf network connection is required, apply industry-standard network security policies and firewall rules to isolate the device
WORKAROUNDChange or disable hard-coded default credentials if vendor procedures allow
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to BD Totalys MultiProcessor version 1.71 or later when available (expected Q4 2022)
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/568a2f92-2a76-4ae1-90f7-87ddbb065938
BD Totalys MultiProcessor | CVSS 6.6 - OTPulse