The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a medical advisory about vulnerabilities found in the BD FACSLyric flow cytometry solution.
ICS-CERT is a governmental organisation that works to reduce the risk of cybercrime to US businesses. The medical advisory stated the flaw in the device, manufactured by Becton, Dickinson, and Company (BD) required a low level of skill to exploit.
The flaw was identified as an improper access control vulnerability. If an attacker exploits the flaw, they could gain access to administrative level privileges on a vulnerable workstation and execute commands.
BD extensively tests its software for potential vulnerabilities and promptly corrects flaws. BD is currently taking steps to mitigate the vulnerability for all users of vulnerable FACSLyric flow cytometry solutions.
The flaw (CVE-2019-6517) is due to improper enforcement of user access control for privileged accounts. Security researchers gave the flaw a CVSS v3 base score of 6.8, indicating medium severity. BD self-reported the vulnerability to the National Cybersecurity & Communications Integration Center (NCCIC).
The vulnerability is present in the following cytometry solutions:
BD FACSLyric Research Use Only, Windows 10 Professional Operating System, the U.S. and Malaysian Releases (Nov 2017 and Nov 2018)
The U.S. release of BD FACSLyric IVD Windows 10 Professional Operating System.
FACSLyric flow cytometry systems on Windows 7 are not affected by the vulnerability.
According to the ICS-CERT website, “BD will follow-up directly with all affected users to perform remediation activities”. These activities include disabling the admin account for users with BD FACSLyric RUO Cell Analyzer units on Windows 10 Pro. Computer workstations with BD FACSLyric IVD Cell Analyzer units on Windows 10 Pro will be replaced.
Users of the vulnerable solutions that have not yet been contacted by BD can contact BD Biosciences General Tech Support for further information.
NCCIC offers several recommendations to individuals using devices affected by the vulnerabilities. These recommendations include; locating medical devices and systems behind firewalls, minimising network exposure for medical devices and systems, restricting access to authorised individuals, applying the rule of least privilege, adopting in-depth defence strategies, and disabling unnecessary accounts and services.
NCCIC reminds organisations to perform proper impact analysis and risk assessment before deploying defensive measures.