BD FACSLyric Flow Cytometry Solution Vulnerabilities Identified

Becton, Dickinson and Company (BD) has discovered an access control flaw in its BD FACSLyric flow cytometry solution. If an attacker exploits vulnerability, access to administrative level privileges can be gained on a vulnerable workstation and deploy commands. A low-level skilled attacker can exploit the vulnerability.

BD thoroughly checks its software for possible vulnerabilities and quickly fixes vulnerabilities. BD is presently doing the necessary steps to fix the vulnerability in all FACSLyric flow cytometry solutions at risk.

The vulnerability (CVE-2019-6517) is because of incorrect enforcement of privileged accounts’ user access control. A CVSS v3 base score of 6.8 (Medium severity) has been assigned to this vulnerability. BD reported the identified vulnerability to the National Cybersecurity & Communications Integration Center (NCCIC).

The following cytometry solutions may be affected by the vulnerability:

  • The U.S. release of BD FACSLyric IVD Windows 10 Professional OS.
  • BD FACSLyric Research Use Only, Windows 10 Professional OS, U.S. and Malaysian Releases (Nov 2017 and Nov 2018)
  • FACSLyric flow cytometry systems on Windows 7 are not affected.

BD is getting in touch with all affected users and is going to do remediation actions to resolve the vulnerabilities. BD may disable the administrator account for users with BD FACSLyric RUO Cell Analyzer units on Windows 10 Pro; or replace the computer workstations that comes with BD FACSLyric IVD Cell Analyzer units on Windows 10 Pro. Users of the flawed products that BD hasn’t contacted yet can communicate with BD Biosciences General Tech Support for additional information.

To reduce the threat of attackers exploiting the vulnerabilities, NCCIC advises putting medical equipment and systems behind firewalls, lessening the network exposure of medical equipment and systems, limiting access to authorized persons, implementing the rule of least privilege, taking in depth defense strategies, and deactivating accounts and services that are unnecessary.