Today the DHS ICS-CERT published two control system security advisories for products from Becton, Dickinson and Company (BD) and Leão Consultoria e Desenvolvimento de Sistemas LTDA ME (LCDS).
This advisory describes a hard-coded password vulnerability in the BD Kiestra PerformA and KLA Journal Service (laboratory information management systems) applications. The vulnerability is apparently self-reported. BD has will be providing updates to the two applications and the Kiestra Database to “reduce the risk [emphasis added] of exploitation of the hard-coded passwords vulnerability”.
ICS-CERT reported that a relatively low skilled attacker could remotely exploit this vulnerability to access the BD Kiestra Database, which could be leveraged to compromise the confidentiality of limited patient health information and personally identifiable information stored in the BD Kiestra Database.
The BD Security Advisory paints a more complicated picture of the vulnerability situation, but it also provides work arounds to be used pending the updates that will be provided later this year. It describes three vulnerabilities instead of one:
• A legacy application (SMB1 protcol);
• Hard-coded password in the two applications;
• Third-party default password in the Database.
This advisory describes a path traversal vulnerability in the LCDS LAquis SCADA software. The vulnerability was reported by Karn Ganeshen via the Zero Day Initiative. LCDS has produced a new firmware version to mitigate the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to allow an unprivileged, malicious attacker to access files remotely.