CVE-2023-29060 is a medium-severity vulnerability affecting Becton, Dickinson and Company (BD) FACSChorus workstation operating system versions 3.0 and 5.0. The vulnerability is categorized under CWE-1299, which indicates a missing protection mechanism for an alternate hardware interface. Specifically, the FACSChorus OS does not impose restrictions on devices that can interact with its USB ports. This lack of control means that any device physically connected via USB can potentially communicate with the system without proper authorization or filtering. An attacker with physical access to the workstation could exploit this by connecting a malicious USB device to gain access to system information and potentially exfiltrate sensitive data. The CVSS v3.1 base score is 5.4, reflecting a medium severity level. The vector string (AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H) indicates that the attack requires physical access (AV:P), low attack complexity (AC:L), low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and impacts confidentiality and integrity to a low degree but availability to a high degree. The vulnerability does not appear to have known exploits in the wild yet, and no patches have been linked at the time of publication. The core technical issue is the absence of USB port access control, which is critical in environments where sensitive data is processed, such as clinical or laboratory settings where FACSChorus is used for flow cytometry data analysis. This vulnerability could allow an insider threat or an attacker with brief physical access to compromise the system, leading to data leakage or disruption of availability.

For European organizations, especially those in healthcare, research, and clinical diagnostics using BD FACSChorus workstations, this vulnerability poses a significant risk. The ability for an attacker with physical access to connect unauthorized USB devices could lead to unauthorized data access or exfiltration of sensitive patient or research data, violating data protection regulations such as GDPR. Additionally, the potential to disrupt system availability could impact critical laboratory operations, delaying diagnostics and treatment decisions. The medium severity rating suggests that while remote exploitation is not possible, the physical access requirement means that insider threats or attackers with temporary physical access (e.g., during maintenance or in shared facilities) are the primary concern. The impact on confidentiality and integrity is low but non-negligible, while availability impact is high, which could cause operational downtime. Given the sensitive nature of the data processed by these systems, even limited data leakage could have reputational and regulatory consequences for European organizations.

To mitigate this vulnerability, European organizations should implement strict physical security controls around FACSChorus workstations to prevent unauthorized physical access. This includes securing rooms with access control systems, surveillance, and logging of personnel entering sensitive areas. Additionally, organizations should enforce strict USB device policies, such as disabling unused USB ports via hardware or BIOS/firmware settings if possible, or using endpoint security solutions that can restrict USB device usage at the OS level. Since no patches are currently available, monitoring for updates from BD is critical, and organizations should plan to apply any forthcoming security patches promptly. Furthermore, organizations should conduct regular audits of connected USB devices and implement data loss prevention (DLP) solutions to detect and block unauthorized data transfers. Training staff to recognize and report suspicious physical access attempts or devices is also recommended. Finally, consider network segmentation and limiting the workstation’s network access to reduce the impact of any potential compromise.