Security restrictions bypass in BD FACSLyric



Published: 2019-01-31
Risk Low
Patch available NO
Number of vulnerabilities 1
CVE-ID CVE-2019-6517
CWE-ID CWE-284
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
FACSLyric
Hardware solutions / Firmware

Vendor Becton, Dickinson and Company (BD)

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Improper access control

EUVDB-ID: #VU17328

Risk: Low

CVSSv3.1: 6.2 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-6517

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a physical attacker to bypass security restrictions.

The vulnerability exists due to the application does not properly enforce user access control to privileged accounts. A physical attacker can gain unauthorized access to administrative level functions.

Mitigation

BD will follow-up directly with all affected users to perform remediation activities. BD will disable the administrative account for users with BD FACSLyric RUO Cell Analyzer units having the Windows 10 Pro Operating System. BD has contacted and will replace the computer workstations for affected users with the BD FACSLyric IVD Cell Analyzer units with the Windows 10 Pro Operating System.

Vulnerable software versions

FACSLyric: All versions

External links

http://ics-cert.us-cert.gov/advisories/ICSMA-19-029-02


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###