CVE-2024-10476 (GCVE-0-2024-10476)
Vulnerability from cvelistv5
Published
2024-12-17 15:16
Modified
2024-12-17 15:35
Severity ?
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
Summary
Default credentials are used in the above listed BD Diagnostic Solutions products. If exploited, threat actors may be able to access, modify or delete data, including sensitive information such as protected health information (PHI) and personally identifiable information (PII). Exploitation of this vulnerability may allow an attacker to shut down or otherwise impact the availability of the system. Note: BD Synapsys™ Informatics Solution is only in scope of this vulnerability when installed on a NUC server. BD Synapsys™ Informatics Solution installed on a customer-provided virtual machine or on the BD Kiestra™ SCU hardware is not in scope.
References
Impacted products
Vendor Product Version
Becton Dickinson & Co BD BACTEC™ Blood Culture System Version: 0   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-10476",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-17T15:35:29.382383Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-17T15:35:43.490Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "BD BACTEC\u2122 Blood Culture System",
          "vendor": "Becton Dickinson \u0026 Co",
          "versions": [
            {
              "lessThanOrEqual": "7.20",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "BD COR\u2122 System",
          "vendor": "Becton Dickinson \u0026 Co",
          "versions": [
            {
              "lessThanOrEqual": "8.90",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "BD EpiCenter\u2122 Microbiology Data Management System",
          "vendor": "Becton Dickinson \u0026 Co",
          "versions": [
            {
              "lessThanOrEqual": "7.45",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "BD MAX\u2122 System",
          "vendor": "Becton Dickinson \u0026 Co",
          "versions": [
            {
              "lessThanOrEqual": "6.10",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "BD Phoenix\u2122 M50 Automated Microbiology System",
          "vendor": "Becton Dickinson \u0026 Co",
          "versions": [
            {
              "lessThanOrEqual": "2.70",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "BD Synapsys\u2122 Informatics Solution",
          "vendor": "Becton Dickinson \u0026 Co",
          "versions": [
            {
              "lessThanOrEqual": "6.10",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDefault credentials are used in the above listed BD Diagnostic Solutions products. If exploited, threat actors may be able to access, modify or delete data, including sensitive information such as protected health information (PHI) and personally identifiable information (PII). Exploitation of this vulnerability may allow an attacker to shut down or otherwise impact the availability of the system. Note: BD Synapsys\u2122 Informatics\nSolution is only in scope of\nthis vulnerability when\ninstalled on a NUC server. BD Synapsys\u2122\nInformatics Solution installed\non a customer-provided virtual machine or on the BD Kiestra\u2122 SCU hardware is\nnot in scope.\n\n\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Default credentials are used in the above listed BD Diagnostic Solutions products. If exploited, threat actors may be able to access, modify or delete data, including sensitive information such as protected health information (PHI) and personally identifiable information (PII). Exploitation of this vulnerability may allow an attacker to shut down or otherwise impact the availability of the system. Note: BD Synapsys\u2122 Informatics\nSolution is only in scope of\nthis vulnerability when\ninstalled on a NUC server. BD Synapsys\u2122\nInformatics Solution installed\non a customer-provided virtual machine or on the BD Kiestra\u2122 SCU hardware is\nnot in scope."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-70",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-70 Try Common or Default Usernames and Passwords"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1392",
              "description": "CWE-1392 USE OF DEFAULT CREDENTIALS",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-17T15:16:44.982Z",
        "orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
        "shortName": "BD"
      },
      "references": [
        {
          "url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-cybersecurity-vulnerability-bulletin-diagnostic-solutions-products"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
    "assignerShortName": "BD",
    "cveId": "CVE-2024-10476",
    "datePublished": "2024-12-17T15:16:44.982Z",
    "dateReserved": "2024-10-28T18:44:14.990Z",
    "dateUpdated": "2024-12-17T15:35:43.490Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-10476\",\"sourceIdentifier\":\"cybersecurity@bd.com\",\"published\":\"2024-12-17T16:15:23.390\",\"lastModified\":\"2024-12-17T16:15:23.390\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Default credentials are used in the above listed BD Diagnostic Solutions products. If exploited, threat actors may be able to access, modify or delete data, including sensitive information such as protected health information (PHI) and personally identifiable information (PII). Exploitation of this vulnerability may allow an attacker to shut down or otherwise impact the availability of the system. Note: BD Synapsys\u2122 Informatics\\nSolution is only in scope of\\nthis vulnerability when\\ninstalled on a NUC server. BD Synapsys\u2122\\nInformatics Solution installed\\non a customer-provided virtual machine or on the BD Kiestra\u2122 SCU hardware is\\nnot in scope.\"},{\"lang\":\"es\",\"value\":\"Las credenciales predeterminadas se utilizan en BD Diagnostic Solutions products enumerados anteriormente. Si se explota esta vulnerabilidad, los actores de amenazas pueden acceder, modificar o eliminar datos, incluida informaci\u00f3n confidencial como informaci\u00f3n m\u00e9dica protegida (PHI) e informaci\u00f3n de identificaci\u00f3n personal (PII). La explotaci\u00f3n de esta vulnerabilidad puede permitir que un atacante apague o afecte de otro modo la disponibilidad del sistema. Nota: BD Synapsys\u2122 Informatics Solution solo est\u00e1 dentro del alcance de esta vulnerabilidad cuando se instala en un servidor NUC. BD Synapsys\u2122 Informatics Solution instalada en una m\u00e1quina virtual proporcionada por el cliente o en el hardware BD Kiestra\u2122 SCU no est\u00e1 dentro del alcance.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cybersecurity@bd.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cybersecurity@bd.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1392\"}]}],\"references\":[{\"url\":\"https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-cybersecurity-vulnerability-bulletin-diagnostic-solutions-products\",\"source\":\"cybersecurity@bd.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-10476\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-17T15:35:29.382383Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-17T15:35:38.507Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-70\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-70 Try Common or Default Usernames and Passwords\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Becton Dickinson \u0026 Co\", \"product\": \"BD BACTEC\\u2122 Blood Culture System\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"7.20\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"Becton Dickinson \u0026 Co\", \"product\": \"BD COR\\u2122 System\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.90\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"Becton Dickinson \u0026 Co\", \"product\": \"BD EpiCenter\\u2122 Microbiology Data Management System\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"7.45\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"Becton Dickinson \u0026 Co\", \"product\": \"BD MAX\\u2122 System\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"6.10\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"Becton Dickinson \u0026 Co\", \"product\": \"BD Phoenix\\u2122 M50 Automated Microbiology System\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2.70\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"Becton Dickinson \u0026 Co\", \"product\": \"BD Synapsys\\u2122 Informatics Solution\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"6.10\"}], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-cybersecurity-vulnerability-bulletin-diagnostic-solutions-products\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Default credentials are used in the above listed BD Diagnostic Solutions products. If exploited, threat actors may be able to access, modify or delete data, including sensitive information such as protected health information (PHI) and personally identifiable information (PII). Exploitation of this vulnerability may allow an attacker to shut down or otherwise impact the availability of the system. Note: BD Synapsys\\u2122 Informatics\\nSolution is only in scope of\\nthis vulnerability when\\ninstalled on a NUC server. BD Synapsys\\u2122\\nInformatics Solution installed\\non a customer-provided virtual machine or on the BD Kiestra\\u2122 SCU hardware is\\nnot in scope.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eDefault credentials are used in the above listed BD Diagnostic Solutions products. If exploited, threat actors may be able to access, modify or delete data, including sensitive information such as protected health information (PHI) and personally identifiable information (PII). Exploitation of this vulnerability may allow an attacker to shut down or otherwise impact the availability of the system. Note: BD Synapsys\\u2122 Informatics\\nSolution is only in scope of\\nthis vulnerability when\\ninstalled on a NUC server. BD Synapsys\\u2122\\nInformatics Solution installed\\non a customer-provided virtual machine or on the BD Kiestra\\u2122 SCU hardware is\\nnot in scope.\\n\\n\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1392\", \"description\": \"CWE-1392 USE OF DEFAULT CREDENTIALS\"}]}], \"providerMetadata\": {\"orgId\": \"2325d071-eabf-4b7b-a4ea-0819b6629a18\", \"shortName\": \"BD\", \"dateUpdated\": \"2024-12-17T15:16:44.982Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-10476\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-17T15:35:43.490Z\", \"dateReserved\": \"2024-10-28T18:44:14.990Z\", \"assignerOrgId\": \"2325d071-eabf-4b7b-a4ea-0819b6629a18\", \"datePublished\": \"2024-12-17T15:16:44.982Z\", \"assignerShortName\": \"BD\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.