CVE-2022-22765 - OpenCVE

BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bd	Viper Lt System Viper Lt System Firmware

Configuration 1 [-]

AND

cpe:2.3:o:bd:viper_lt_system_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:bd:viper_lt_system:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials
https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: BD

Published: 2022-02-12T02:30:40.024621Z

Updated: 2024-09-17T02:58:09.300Z

Reserved: 2022-01-07T00:00:00

Link: CVE-2022-22765

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-02-12T03:15:07.363

Modified: 2022-05-11T14:38:23.243

Link: CVE-2022-22765

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "BD Viper LT System", "vendor": "Becton Dickinson (BD)", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "next of 2.0", "versionType": "custom"}]}], "datePublic": "2022-02-11T00:00:00", "descriptions": [{"lang": "en", "value": "BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-09T15:26:14", "orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18", "shortName": "BD"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials"}, {"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02"}], "solutions": [{"lang": "en", "value": "The fix is expected in BD Viper LT system version 4.80 software release."}], "source": {"discovery": "INTERNAL"}, "title": "BD Viper LT System - Hardcoded Credentials", "workarounds": [{"lang": "en", "value": "Ensure physical access controls are in place and only authorized end-users have access to the BD Viper\u00e2\u201e\u00a2 LT system. Disconnect the BD Viper LT system from network access, where applicable. If the BD Viper LT system must be connected to a network, ensure industry standard network security policies and procedures are followed."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@bd.com", "DATE_PUBLIC": "2022-02-11T21:00:00.000Z", "ID": "CVE-2022-22765", "STATE": "PUBLIC", "TITLE": "BD Viper LT System - Hardcoded Credentials"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "BD Viper LT System", "version": {"version_data": [{"version_affected": ">", "version_value": "2.0"}]}}]}, "vendor_name": "Becton Dickinson (BD)"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-798 Use of Hard-coded Credentials"}]}]}, "references": {"reference_data": [{"name": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials", "refsource": "CONFIRM", "url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials"}, {"name": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02"}]}, "solution": [{"lang": "en", "value": "The fix is expected in BD Viper LT system version 4.80 software release."}], "source": {"discovery": "INTERNAL"}, "work_around": [{"lang": "en", "value": "Ensure physical access controls are in place and only authorized end-users have access to the BD Viper\u00e2\u201e\u00a2 LT system. Disconnect the BD Viper LT system from network access, where applicable. If the BD Viper LT system must be connected to a network, ensure industry standard network security policies and procedures are followed."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:21:49.105Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02"}]}]}, "cveMetadata": {"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18", "assignerShortName": "BD", "cveId": "CVE-2022-22765", "datePublished": "2022-02-12T02:30:40.024621Z", "dateReserved": "2022-01-07T00:00:00", "dateUpdated": "2024-09-17T02:58:09.300Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:bd:viper_lt_system_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C61284F9-2506-4435-9A64-98B289BB1C14", "versionEndExcluding": "4.80", "versionStartIncluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:bd:viper_lt_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "B4262FD3-7CF6-4A4E-8BE8-A9650C32499C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability."}, {"lang": "es", "value": "BD Viper LT system, versiones 2.0 y posteriores, contiene credenciales embebidas. Si es explotado, los actores de la amenaza pueden ser capaces de acceder, modificar o eliminar informaci\u00f3n confidencial, incluyendo informaci\u00f3n de salud electr\u00f3nica protegida (ePHI), informaci\u00f3n de salud protegida (PHI) e informaci\u00f3n personal identificable (PII). BD Viper LT system versiones 4.0 y posteriores usan Microsoft Windows 10 y presentan configuraciones adicionales de endurecimiento del Sistema Operativo que aumentan la complejidad del ataque requerido para explotar esta vulnerabilidad"}], "id": "CVE-2022-22765", "lastModified": "2022-05-11T14:38:23.243", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.5, "source": "cybersecurity@bd.com", "type": "Secondary"}]}, "published": "2022-02-12T03:15:07.363", "references": [{"source": "cybersecurity@bd.com", "tags": ["Vendor Advisory"], "url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials"}, {"source": "cybersecurity@bd.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02"}], "sourceIdentifier": "cybersecurity@bd.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "cybersecurity@bd.com", "type": "Secondary"}]}