CVE-2023-29061 is a vulnerability identified in Becton, Dickinson and Company's (BD) FACSChorus workstations, specifically versions 3.0 and 5.0. The core issue is the absence of a BIOS password, which constitutes a missing authentication control for a critical function, categorized under CWE-306. This lack of BIOS-level authentication allows an attacker with physical access to the workstation to enter the BIOS setup without restriction. Consequently, the attacker can modify the BIOS configuration, including changing the drive boot order and disabling or altering BIOS pre-boot authentication mechanisms. Such changes can enable booting from unauthorized media, potentially allowing the attacker to bypass operating system-level security controls, install persistent malware, or extract sensitive data. The vulnerability has a CVSS v3.1 base score of 5.2, indicating a medium severity level. The vector metrics specify that exploitation requires physical access (AV:P), has low attack complexity (AC:L), does not require privileges (PR:N) or user interaction (UI:N), and impacts integrity and availability but not confidentiality. No known exploits are currently reported in the wild, and no patches have been released yet. The vulnerability primarily affects the BIOS security posture of the FACSChorus workstations, which are specialized laboratory instruments used for flow cytometry analysis in clinical and research environments. Given the critical role of these devices in medical diagnostics and research, unauthorized BIOS access could lead to significant operational disruptions and data integrity issues.

For European organizations, particularly those in healthcare, biomedical research, and clinical diagnostics, this vulnerability poses a tangible risk. FACSChorus workstations are integral to flow cytometry workflows, and any compromise could disrupt diagnostic processes or research outcomes. An attacker modifying BIOS settings could introduce persistent malware or alter system behavior, potentially leading to inaccurate test results or data loss. This could undermine patient safety, research validity, and regulatory compliance with frameworks such as GDPR and medical device regulations. Additionally, the physical access requirement means that insider threats or unauthorized visitors in laboratories could exploit this vulnerability. The impact on availability is significant, as BIOS misconfiguration can render devices unbootable or unstable, causing downtime in critical laboratory operations. Although confidentiality impact is rated as none, the integrity and availability impacts are sufficient to cause operational and reputational damage. European healthcare institutions, which often have stringent security and privacy requirements, must consider this vulnerability seriously to maintain trust and compliance.

To mitigate CVE-2023-29061 effectively, European organizations should implement the following specific measures: 1) Immediately enforce physical security controls around FACSChorus workstations, including restricted access to laboratory areas and surveillance to prevent unauthorized physical access. 2) Where possible, configure BIOS passwords manually on all affected devices to prevent unauthorized BIOS access; if the vendor does not provide a patch, organizations should engage with BD support for guidance or firmware updates. 3) Implement hardware-based security features such as Trusted Platform Module (TPM) and secure boot to limit unauthorized boot modifications. 4) Maintain strict inventory and asset management to quickly identify affected devices and monitor their physical security status. 5) Conduct regular audits of BIOS settings and system configurations to detect unauthorized changes promptly. 6) Train laboratory personnel on the risks of physical access vulnerabilities and enforce policies to prevent unauthorized device handling. 7) Develop incident response plans that include procedures for BIOS compromise scenarios to minimize downtime and data integrity risks. 8) Collaborate with BD and industry groups to stay informed about patches or firmware updates addressing this vulnerability.