Improper access control in FACSLyric - CVE-2019-6517
Published: January 31, 2019
Vulnerability identifier: #VU17328
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-6517
CWE-ID: CWE-284
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Becton, Dickinson and Company (BD)
Affected software:
FACSLyric
FACSLyric
Detailed vulnerability description
The vulnerability allows a physical attacker to bypass security restrictions.
The vulnerability exists due to the application does not properly enforce user access control to privileged accounts. A physical attacker can gain unauthorized access to administrative level functions.
How to mitigate CVE-2019-6517
BD will follow-up directly with all affected users to perform remediation activities. BD will disable the administrative account for users with BD FACSLyric RUO Cell Analyzer units having the Windows 10 Pro Operating System. BD has contacted and will replace the computer workstations for affected users with the BD FACSLyric IVD Cell Analyzer units with the Windows 10 Pro Operating System.