Search criteria
4 vulnerabilities by Becton Dickinson (BD)
CVE-2022-30277 (GCVE-0-2022-30277)
Vulnerability from cvelistv5 – Published: 2022-06-01 16:38 – Updated: 2024-09-16 17:43
VLAI?
Title
BD Synapsys™ – Insufficient Session Expiration
Summary
BD Synapsys™, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII).
Severity ?
5.7 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton Dickinson (BD) | BD Synapsys™ |
Affected:
4.20 , ≤ 4.30
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:48:36.283Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-synapsys-insufficient-session-expiration"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BD Synapsys\u2122",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"lessThanOrEqual": "4.30",
"status": "affected",
"version": "4.20",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "To exploit this vulnerability, a threat actor would need to gain access to the customer environment and physical access to a BD Synapsys\u2122 workstation."
}
],
"datePublic": "2022-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "BD Synapsys\u2122, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-01T16:38:50",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-synapsys-insufficient-session-expiration"
}
],
"solutions": [
{
"lang": "en",
"value": "BD Synapsys\u2122 v4.20 SR2 will be released in June 2022 and will remediate this vulnerability. Customers receiving BD Synapsys\u2122 v4.30 will be allowed to upgrade to v5.10, which is expected to be available by August 2022."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BD Synapsys\u2122 \u2013 Insufficient Session Expiration",
"workarounds": [
{
"lang": "en",
"value": "Configure the inactivity session timeout in the operating system to match the session expiration timeout in BD Synapsys\u2122. \n\nEnsure physical access controls are in place and only authorized end-users have access to BD Synapsys\u2122 workstations. \n\nPlace a reminder at each computer for users to logout when leaving the BD Synapsys\u2122 workstation. \n\nEnsure industry standard network security policies and procedures are followed."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@bd.com",
"DATE_PUBLIC": "2022-05-31T15:00:00.000Z",
"ID": "CVE-2022-30277",
"STATE": "PUBLIC",
"TITLE": "BD Synapsys\u2122 \u2013 Insufficient Session Expiration"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BD Synapsys\u2122",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.20",
"version_value": "4.30"
}
]
}
}
]
},
"vendor_name": "Becton Dickinson (BD)"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "To exploit this vulnerability, a threat actor would need to gain access to the customer environment and physical access to a BD Synapsys\u2122 workstation."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BD Synapsys\u2122, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurity.bd.com/bulletins-and-patches/bd-synapsys-insufficient-session-expiration",
"refsource": "CONFIRM",
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-synapsys-insufficient-session-expiration"
}
]
},
"solution": [
{
"lang": "en",
"value": "BD Synapsys\u2122 v4.20 SR2 will be released in June 2022 and will remediate this vulnerability. Customers receiving BD Synapsys\u2122 v4.30 will be allowed to upgrade to v5.10, which is expected to be available by August 2022."
}
],
"source": {
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Configure the inactivity session timeout in the operating system to match the session expiration timeout in BD Synapsys\u2122. \n\nEnsure physical access controls are in place and only authorized end-users have access to BD Synapsys\u2122 workstations. \n\nPlace a reminder at each computer for users to logout when leaving the BD Synapsys\u2122 workstation. \n\nEnsure industry standard network security policies and procedures are followed."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2022-30277",
"datePublished": "2022-06-01T16:38:50.425711Z",
"dateReserved": "2022-05-04T00:00:00",
"dateUpdated": "2024-09-16T17:43:27.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22767 (GCVE-0-2022-22767)
Vulnerability from cvelistv5 – Published: 2022-06-01 16:35 – Updated: 2024-09-16 16:42
VLAI?
Title
BD Pyxis™ Products – Default Credentials
Summary
Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.
Severity ?
8.8 (High)
CWE
- CWE-262 - Not Using Password Aging
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.167Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BD Pyxis\u2122 Anesthesia ES Station",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 CIISafe",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 Logistics",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 MedBank",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 MedStation\u2122 4000",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 MedStation\u2122 ES",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 MedStation\u2122 ES Server",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 ParAssist",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 Rapid Rx",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 StockStation",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 SupplyCenter",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 SupplyRoller",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 SupplyStation\u2122",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 SupplyStation\u2122 EC",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 SupplyStation\u2122 RF auxiliary",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Rowa\u2122 Pouch Packaging Systems",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "To exploit this vulnerability, threat actors would have to gain access to the default credentials, infiltrate facility\u2019s network, and gain access to individual devices and/or servers."
}
],
"datePublic": "2022-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Specific BD Pyxis\u2122 products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis\u2122 products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-262",
"description": "CWE-262: Not Using Password Aging",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-01T16:35:38",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials"
}
],
"solutions": [
{
"lang": "en",
"value": "BD is currently strengthening our credential management capabilities in BD Pyxis\u2122 products. Service personnel are proactively working with customers whose domain-joined server(s) credentials require updates. BD is currently piloting a credential management solution that is initially targeted for only specific BD Pyxis\u2122 product versions and will allow for improved authentication management practices with specific local operating system credentials. Changes needed for installation, upgrade or to applications are being evaluated as part of the overall remediation."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BD Pyxis\u2122 Products \u2013 Default Credentials",
"workarounds": [
{
"lang": "en",
"value": "Limit physical access to only authorized personnel."
},
{
"lang": "en",
"value": "Tightly control management of system passwords provided to authorized users."
},
{
"lang": "en",
"value": "Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed."
},
{
"lang": "en",
"value": "Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@bd.com",
"DATE_PUBLIC": "2022-05-31T15:00:00.000Z",
"ID": "CVE-2022-22767",
"STATE": "PUBLIC",
"TITLE": "BD Pyxis\u2122 Products \u2013 Default Credentials"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BD Pyxis\u2122 Anesthesia ES Station",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 CIISafe",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 Logistics",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 MedBank",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 MedStation\u2122 4000",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 MedStation\u2122 ES",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 MedStation\u2122 ES Server",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 ParAssist",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 Rapid Rx",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 StockStation",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 SupplyCenter",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 SupplyRoller",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 SupplyStation\u2122",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 SupplyStation\u2122 EC",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 SupplyStation\u2122 RF auxiliary",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Rowa\u2122 Pouch Packaging Systems",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "Becton Dickinson (BD)"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "To exploit this vulnerability, threat actors would have to gain access to the default credentials, infiltrate facility\u2019s network, and gain access to individual devices and/or servers."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Specific BD Pyxis\u2122 products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis\u2122 products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-262: Not Using Password Aging"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials",
"refsource": "CONFIRM",
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials"
}
]
},
"solution": [
{
"lang": "en",
"value": "BD is currently strengthening our credential management capabilities in BD Pyxis\u2122 products. Service personnel are proactively working with customers whose domain-joined server(s) credentials require updates. BD is currently piloting a credential management solution that is initially targeted for only specific BD Pyxis\u2122 product versions and will allow for improved authentication management practices with specific local operating system credentials. Changes needed for installation, upgrade or to applications are being evaluated as part of the overall remediation."
}
],
"source": {
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Limit physical access to only authorized personnel."
},
{
"lang": "en",
"value": "Tightly control management of system passwords provided to authorized users."
},
{
"lang": "en",
"value": "Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed."
},
{
"lang": "en",
"value": "Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2022-22767",
"datePublished": "2022-06-01T16:35:38.991672Z",
"dateReserved": "2022-01-07T00:00:00",
"dateUpdated": "2024-09-16T16:42:50.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22765 (GCVE-0-2022-22765)
Vulnerability from cvelistv5 – Published: 2022-02-12 02:30 – Updated: 2024-09-17 02:58
VLAI?
Title
BD Viper LT System - Hardcoded Credentials
Summary
BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability.
Severity ?
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton Dickinson (BD) | BD Viper LT System |
Affected:
next of 2.0 , < unspecified
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.105Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BD Viper LT System",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "next of 2.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-02-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-09T15:26:14",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02"
}
],
"solutions": [
{
"lang": "en",
"value": "The fix is expected in BD Viper LT system version 4.80 software release."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BD Viper LT System - Hardcoded Credentials",
"workarounds": [
{
"lang": "en",
"value": "Ensure physical access controls are in place and only authorized end-users have access to the BD Viper\u00e2\u201e\u00a2 LT system. Disconnect the BD Viper LT system from network access, where applicable. If the BD Viper LT system must be connected to a network, ensure industry standard network security policies and procedures are followed."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@bd.com",
"DATE_PUBLIC": "2022-02-11T21:00:00.000Z",
"ID": "CVE-2022-22765",
"STATE": "PUBLIC",
"TITLE": "BD Viper LT System - Hardcoded Credentials"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BD Viper LT System",
"version": {
"version_data": [
{
"version_affected": "\u003e",
"version_value": "2.0"
}
]
}
}
]
},
"vendor_name": "Becton Dickinson (BD)"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-798 Use of Hard-coded Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials",
"refsource": "CONFIRM",
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials"
},
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02",
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "The fix is expected in BD Viper LT system version 4.80 software release."
}
],
"source": {
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Ensure physical access controls are in place and only authorized end-users have access to the BD Viper\u00e2\u201e\u00a2 LT system. Disconnect the BD Viper LT system from network access, where applicable. If the BD Viper LT system must be connected to a network, ensure industry standard network security policies and procedures are followed."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2022-22765",
"datePublished": "2022-02-12T02:30:40.024621Z",
"dateReserved": "2022-01-07T00:00:00",
"dateUpdated": "2024-09-17T02:58:09.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22766 (GCVE-0-2022-22766)
Vulnerability from cvelistv5 – Published: 2022-02-11 18:12 – Updated: 2024-09-16 19:15
VLAI?
Title
BD Pyxis Products - Hardcoded Credentials
Summary
Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information.
Severity ?
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Becton Dickinson (BD) | BD Pyxis Anesthesia Station ES |
Affected:
All
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BD Pyxis Anesthesia Station ES",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Anesthesia Station 4000",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis CATO",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis CIISafe",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Inventory Connect",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis IV Prep",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis JITrBUD",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis KanBan RF",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Logistics",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Med Link Family",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis MedBank",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis MedStation 4000",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis MedStation ES",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis MedStation ES Server",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis ParAssist",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis PharmoPack",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis ProcedureStation (including EC)",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Rapid Rx",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis StockStation",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis SupplyCenter",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis SupplyRoller",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis SupplyStation (including RF, EC, CP)",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Track and Deliver",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Rowa Pouch Packaging Systems",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
}
],
"datePublic": "2022-02-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-09T15:28:22",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BD Pyxis Products - Hardcoded Credentials",
"workarounds": [
{
"lang": "en",
"value": "Limit physical access to the device to only authorized personnel. Tightly control management of BD Pyxis system credentials provided to authorized users. Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed. Monitor and log all network traffic attempting to reach the affected products for suspicious activity. Work with your local BD support team ensure all patching and virus definitions are up to date. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@bd.com",
"DATE_PUBLIC": "2022-02-12T04:00:00.000Z",
"ID": "CVE-2022-22766",
"STATE": "PUBLIC",
"TITLE": "BD Pyxis Products - Hardcoded Credentials"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BD Pyxis Anesthesia Station ES",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Anesthesia Station 4000",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis CATO",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis CIISafe",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Inventory Connect",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis IV Prep",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis JITrBUD",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis KanBan RF",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Logistics",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Med Link Family",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis MedBank",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis MedStation 4000",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis MedStation ES",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis MedStation ES Server",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis ParAssist",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis PharmoPack",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis ProcedureStation (including EC)",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Rapid Rx",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis StockStation",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis SupplyCenter",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis SupplyRoller",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis SupplyStation (including RF, EC, CP)",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Track and Deliver",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Rowa Pouch Packaging Systems",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
}
]
},
"vendor_name": "Becton Dickinson (BD)"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-798 Use of Hard-coded Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials",
"refsource": "CONFIRM",
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials"
},
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01",
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01"
}
]
},
"source": {
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Limit physical access to the device to only authorized personnel. Tightly control management of BD Pyxis system credentials provided to authorized users. Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed. Monitor and log all network traffic attempting to reach the affected products for suspicious activity. Work with your local BD support team ensure all patching and virus definitions are up to date. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2022-22766",
"datePublished": "2022-02-11T18:12:07.247407Z",
"dateReserved": "2022-01-07T00:00:00",
"dateUpdated": "2024-09-16T19:15:26.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}