OTPulse
FeedAboutContact

BD Diagnostic Solutions Products (Update A)

Plan Patch8ICS-CERT ICSMA-24-352-01Dec 17, 2024
Attack VectorAdjacent
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

BD Diagnostic Solutions products (BACTEC Blood Culture System, COR System, EpiCenter Microbiology Data Management System, MAX System, Phoenix M50 Automated Microbiology System, and Synapsys Informatics Solution on NUC servers) contain hardcoded default credentials intended for BD technical support personnel. An attacker with local network access or physical presence at an instrument could use these default service credentials to access the device management interface, modify or delete clinical data, or trigger a system shutdown. Exploitation requires direct access to the local network and knowledge of the default credentials; remote exploitation is not possible. BD is developing remediation and plans to deploy patches via Field Service starting in the first half of 2025.

What this means
What could happen
An attacker with default credentials and local or physical access to a BD diagnostic instrument could modify or delete patient data, causing system unavailability and potential disruption to clinical diagnostics and patient care workflows.
Who's at risk
Clinical laboratory operators managing BD diagnostic instruments, particularly those operating BACTEC blood culture systems, COR systems, EpiCenter microbiology data management, MAX systems, Phoenix M50 automated microbiology analyzers, and Synapsys informatics solutions on NUC servers. This affects all versions of these products currently in use.
How it could be exploited
An attacker would need to compromise the local network or be physically present at the instrument to access the service interface using hardcoded default credentials. Once authenticated, they could interact with the management interface to modify or delete data and potentially trigger a system shutdown.
Prerequisites
  • Local or physical access to the instrument or its network segment
  • Knowledge of default service credentials used by BD technical support
  • Access to the device management interface (not remotely exploitable)
Default credentials hardcoded in productsNo patch currently availableAffects patient data confidentiality and system availabilityRequires local or physical access (limits but does not eliminate risk in clinical settings)All versions affected
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
BD BACTEC Blood Culture System: vers:all/*All versionsFix available
BD COR System: vers:all/*All versionsFix available
BD EpiCenter Microbiology Data Management System: vers:all/*All versionsFix available
BD MAX System: vers:all/*All versionsFix available
BD Phoenix M50 Automated Microbiology System: vers:all/*All versionsFix available
BD Synapsys Informatics Solution: vers:all/*All versionsFix available
Remediation & Mitigation
0/7
Do now
0/2
WORKAROUNDChange all default credentials on affected BD Diagnostic Solutions products to unique, strong passwords immediately
HARDENINGRestrict access to affected devices to authorized personnel only; enforce strict logical access controls
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

HARDENINGIsolate affected devices in a secure VLAN or behind firewalls with access restricted to trusted hosts and authorized users only
WORKAROUNDDisable or block RDP ports on affected devices if they are not required for clinical operations
WORKAROUNDDisconnect affected devices from the network if network connectivity is not necessary for clinical operations
HOTFIXApply vendor remediation patch when BD schedules Field Service deployment (expected first half of 2025)
Long-term hardening
0/1
HARDENINGMonitor and log network traffic and file share access to affected device management environments for suspicious activity
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/21b59889-c812-44ea-94f2-5e88025a910f