Becton, Dickinson and Company (BD) will follow-up directly with all affected users to perform remediation activities for an improper access control vulnerability in its FACSLyric, according to a report from NCCIC.
Successful exploitation of this vulnerability, which BD self-reported, may allow an attacker to gain unauthorized access to administrative level privileges on a workstation, which could allow arbitrary execution of commands. This vulnerability does not impact BD FACSLyric flow cytometry systems using the Windows 7 Operating System.
The following versions of the FACSLyric flow cytometry solution suffer from the issue:
• BD FACSLyric Research Use Only, Windows 10 Professional Operating System, U.S. and Malaysian Releases, between November 2017 and November 2018
• BD FACSLyric IVD Windows 10 Professional Operating System U.S. release
The application does not properly enforce user access control to privileged accounts, which may allow for unauthorized access to administrative level functions.
CVE-2019-6517 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.8.
The product sees use mainly in the healthcare and public health sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.
BD will follow-up directly with all affected users to perform remediation activities. BD will disable the administrative account for users with BD FACSLyric RUO Cell Analyzer units having the Windows 10 Pro Operating System. BD has contacted and will replace the computer workstations for affected users with the BD FACSLyric IVD Cell Analyzer units with the Windows 10 Pro Operating System.
For additional information regarding the reported vulnerability please contact BD for the following support:
For technical support, contact the BD Biosciences General Tech Support – Flow Cytometry via email or phone 877-232-8995 Option 2 and then Option 2 again.
For more information on BD’s product security and vulnerability management, contact BD’s Product Security Office.