BDCVEs & Vulnerabilities

33 CVEs affecting BD products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

facschorus 28alaris gateway workstation firmware 8alaris 8015 pc unit 4alaris 8015 pcu 4alaris 8015 pcu firmware 4alaris systems manager 3performa 3pyxis anesthesia station es 3
CVE-2023-29066LOW

The FACSChorus software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders.

29 Nov 2023
3.5
CVSS
CVE-2023-29065MEDIUM

The FACSChorus software database can be accessed directly with the privileges of the currently logged-in user. A threat actor with physical access could potentially gain credentials, which could be used to alter or destroy data stored in the database.

29 Nov 2023
4.3
CVSS
CVE-2023-29064MEDIUM

The FACSChorus software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts.

29 Nov 2023
4.3
CVSS
CVE-2023-29063LOW

The FACSChorus workstation does not prevent physical access to its PCI express (PCIe) slots, which could allow a threat actor to insert a PCI card designed for memory capture. A threat actor can then isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup.

29 Nov 2023
2.4
CVSS
CVE-2023-29062LOW

The Operating System hosting the FACSChorus application is configured to allow transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. This is possible through the use of LLMNR, MBT-NS, or MDNS and will result in NTLMv2 hashes being sent to a malicious entity position on the local network. These hashes can subsequently be attacked through brute force and cracked if a weak password is used. This attack would only apply to domain joined systems.

29 Nov 2023
3.8
CVSS
CVE-2023-29061MEDIUM

There is no BIOS password on the FACSChorus workstation. A threat actor with physical access to the workstation can potentially exploit this vulnerability to access the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication.

29 Nov 2023
5.2
CVSS
CVE-2023-29060MEDIUM

The FACSChorus workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data.

28 Nov 2023
5.7
CVSS
CVE-2023-30565LOW

An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker.

13 Jul 2023
3.5
CVSS
CVE-2023-30564MEDIUM

Alaris Systems Manager does not perform input validation during the Device Import Function.

13 Jul 2023
6.9
CVSS
CVE-2023-30563HIGH

A malicious file could be uploaded into a System Manager User Import Function resulting in a hijacked session.

13 Jul 2023
8.2
CVSS
CVE-2023-30562MEDIUM

A GRE dataset file within Systems Manager can be tampered with and distributed to PCUs.

13 Jul 2023
6.7
CVSS
CVE-2023-30561MEDIUM

The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.

13 Jul 2023
6.1
CVSS
CVE-2023-30560MEDIUM

The configuration from the PCU can be modified without authentication using physical connection to the PCU.

13 Jul 2023
6.8
CVSS
CVE-2023-30559MEDIUM

The firmware update package for the wireless card is not properly signed and can be modified.

13 Jul 2023
5.7
CVSS
CVE-2022-47376HIGH

The Alaris Infusion Central software, versions 1.1 to 1.3.2, may contain a recoverable password after the installation. No patient health data is stored in the database, although some site installations may choose to store personal data.

13 Jun 2023
7.3
CVSS
CVE-2022-43557MEDIUM

The BD BodyGuard™ infusion pumps specified allow for access through the RS-232 (serial) port interface. If exploited, threat actors with physical access, specialized equipment and knowledge may be able to configure or disable the pump. No electronic protected health information (ePHI), protected health information (PHI) or personally identifiable information (PII) is stored in the pump.

6 Dec 2022
5.3
CVSS
CVE-2022-40263HIGH

BD Totalys MultiProcessor, versions 1.70 and earlier, contain hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). Customers using BD Totalys MultiProcessor version 1.70 with Microsoft Windows 10 have additional operating system hardening configurations which increase the attack complexity required to exploit this vulnerability.

4 Nov 2022
7.8
CVSS
CVE-2022-30277MEDIUM

BD Synapsys™, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII).

2 Jun 2022
5.7
CVSS
CVE-2022-22767HIGH

Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.

2 Jun 2022
8.8
CVSS
CVE-2022-22765HIGH

BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability.

12 Feb 2022
7.8
CVSS
CVE-2022-22766MEDIUM

Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information.

11 Feb 2022
5.5
CVSS
CVE-2020-25165HIGH

BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier and BD Alaris Systems Manager, Versions 4.33 and earlier The affected products are vulnerable to a network session authentication vulnerability within the authentication process between specified versions of the BD Alaris PC Unit and the BD Alaris Systems Manager. If exploited, an attacker could perform a denial-of-service attack on the BD Alaris PC Unit by modifying the configuration headers of data in transit. A denial-of-service attack could lead to a drop in the wireless capability of the BD Alaris PC Unit, resulting in manual operation of the PC Unit.

13 Nov 2020
7.5
CVSS
CVE-2020-10598MEDIUM

In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES System v1.6.1, a restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data.

2 Apr 2020
6.1
CVSS
CVE-2019-13517HIGH

In Pyxis ES Versions 1.3.4 through to 1.6.1 and Pyxis Enterprise Server, with Windows Server Versions 4.4 through 4.12, a vulnerability has been identified where existing access privileges are not restricted in coordination with the expiration of access based on active directory user account changes when the device is joined to an AD domain.

6 Sep 2019
8.8
CVSS
CVE-2019-10962MEDIUM

BD Alaris Gateway versions, 1.0.13,1.1.3 Build 10,1.1.3 MR Build 11,1.1.5, and 1.1.6, The web browser user interface on the Alaris Gateway Workstation does not prevent an attacker with knowledge of the IP address of the Alaris Gateway Workstation terminal to gain access to the status and configuration information of the device.

14 Jun 2019
5.3
CVSS
CVE-2019-10959CRITICAL

BD Alaris Gateway Workstation Versions, 1.1.3 Build 10, 1.1.3 MR Build 11, 1.2 Build 15, 1.3.0 Build 14, 1.3.1 Build 13, This does not impact the latest firmware Versions 1.3.2 and 1.6.1, Additionally, the following products using software Version 2.3.6 and below, Alaris GS, Alaris GH, Alaris CC, Alaris TIVA, The application does not restrict the upload of malicious files during a firmware update.

14 Jun 2019
10.0
CVSS
CVE-2019-6517MEDIUM

BD FACSLyric Research Use Only, Windows 10 Professional Operating System, U.S. and Malaysian Releases, between November 2017 and November 2018 and BD FACSLyric IVD Windows 10 Professional Operating System US release does not properly enforce user access control to privileged accounts, which may allow for unauthorized access to administrative level functions.

6 Feb 2019
6.8
CVSS
CVE-2018-14786CRITICAL

Becton, Dickinson and Company (BD) Alaris Plus medical syringe pumps (models Alaris GS, Alaris GH, Alaris CC, and Alaris TIVA) versions 2.3.6 and prior are affected by an improper authentication vulnerability where the software does not perform authentication for functionality that requires a provable user identity, where it may allow a remote attacker to gain unauthorized access to various Alaris Syringe pumps and impact the intended operation of the pump when it is connected to a terminal server via the serial port.

23 Aug 2018
9.4
CVSS
CVE-2018-10595MEDIUM

A vulnerability in ReadA version 1.1.0.2 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in loss or corruption of data.

24 May 2018
6.3
CVSS
CVE-2018-10593MEDIUM

A vulnerability in DB Manager version 3.0.1.0 and previous and PerformA version 3.0.0.0 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in data corruption.

24 May 2018
5.6
CVSS
CVE-2017-6022CRITICAL

A hard-coded password issue was discovered in Becton, Dickinson and Company (BD) PerformA, Version 2.0.14.0 and prior versions, and KLA Journal Service, Version 1.0.51 and prior versions. They use hard-coded passwords to access the BD Kiestra Database, which could be leveraged to compromise the confidentiality of limited PHI/PII information stored in the BD Kiestra Database.

30 Jun 2017
9.8
CVSS
CVE-2016-9355MEDIUM

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device's flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device's removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker's convenience.

14 Feb 2017
5.3
CVSS
CVE-2016-8375MEDIUM

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device's flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection.

14 Feb 2017
4.9
CVSS
← PrevPage 1 / 1Next →