CVE-2023-29066 - OpenCVE

The FACSChorus software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bd	Facschorus
Hp	Hp Z2 Tower G5 Hp Z2 Tower G9

Configuration 1 [-]

AND

OR	cpe:2.3:a:bd:facschorus:5.0:::::::*
	cpe:2.3:a:bd:facschorus:5.1:::::::*

cpe:2.3:h:hp:hp_z2_tower_g9:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

OR	cpe:2.3:a:bd:facschorus:3.0:::::::*
	cpe:2.3:a:bd:facschorus:3.1:::::::*

cpe:2.3:h:hp:hp_z2_tower_g5:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software

History

No history.

MITRE

Status: PUBLISHED

Assigner: BD

Published: 2023-11-28T20:36:13.494Z

Updated: 2024-08-02T14:00:15.314Z

Reserved: 2023-03-30T21:10:17.527Z

Link: CVE-2023-29066

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-11-28T21:15:08.173

Modified: 2023-12-05T15:07:40.170

Link: CVE-2023-29066

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-29066", "assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18", "state": "PUBLISHED", "assignerShortName": "BD", "dateReserved": "2023-03-30T21:10:17.527Z", "datePublished": "2023-11-28T20:36:13.494Z", "dateUpdated": "2024-08-02T14:00:15.314Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "64 bit"], "product": "FACSChorus", "vendor": "Becton, Dickinson and Company (BD)", "versions": [{"lessThanOrEqual": "5.1", "status": "affected", "version": "5.0", "versionType": "custom"}]}], "datePublic": "2023-11-28T14:24:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The FACSChorus software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders."}], "value": "The FACSChorus software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders."}], "impacts": [{"capecId": "CAPEC-639", "descriptions": [{"lang": "en", "value": "CAPEC-639 Probe System Files"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "CWE-266 Incorrect Privilege Assignment", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18", "shortName": "BD", "dateUpdated": "2023-11-28T20:36:13.494Z"}, "references": [{"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"}], "source": {"discovery": "UNKNOWN"}, "title": "Incorrect User Management", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n\n\nVulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:<br><ul><li>Ensure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.</li><li>If the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.</li><li>Administrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.</li></ul>"}], "value": "\n\n\nVulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:\n * Ensure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.\n * If the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.\n * Administrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.\n\n\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:00:15.314Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bd:facschorus:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "4D5E0D4F-559B-414E-A627-0BA0937BD7F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:bd:facschorus:5.1:*:*:*:*:*:*:*", "matchCriteriaId": "57F63FB2-2AE2-4B5F-8B49-4A0A4549CF3E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hp:hp_z2_tower_g9:-:*:*:*:*:*:*:*", "matchCriteriaId": "54279DE4-A2A4-4AA6-A05F-931094446F16", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bd:facschorus:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "2785D17E-800C-4772-A131-5737E9446C01", "vulnerable": true}, {"criteria": "cpe:2.3:a:bd:facschorus:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "30FD1DE4-982F-4D14-BB8A-478F8430BC63", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hp:hp_z2_tower_g5:-:*:*:*:*:*:*:*", "matchCriteriaId": "7E9BA28D-9C14-435A-9786-222BE58A9258", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The FACSChorus software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders."}, {"lang": "es", "value": "El software FACSChorus no asigna correctamente privilegios de acceso a datos para las cuentas de usuario del sistema operativo. Una cuenta de sistema operativo no administrativa puede modificar la informaci\u00f3n almacenada en las carpetas de datos de la aplicaci\u00f3n local."}], "id": "CVE-2023-29066", "lastModified": "2023-12-05T15:07:40.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 2.5, "source": "cybersecurity@bd.com", "type": "Secondary"}]}, "published": "2023-11-28T21:15:08.173", "references": [{"source": "cybersecurity@bd.com", "tags": ["Vendor Advisory"], "url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"}], "sourceIdentifier": "cybersecurity@bd.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-266"}], "source": "cybersecurity@bd.com", "type": "Secondary"}]}