CVE-2023-29062

Published: Nov 28, 2023

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

3.8

LOW

Description

The Operating System hosting the FACSChorus application is configured to allow transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. This is possible through the use of LLMNR, MBT-NS, or MDNS and will result in NTLMv2 hashes being sent to a malicious entity position on the local network. These hashes can subsequently be attacked through brute force and cracked if a weak password is used. This attack would only apply to domain joined systems.

Vendor	Product	Versions
Becton, Dickinson and Company (BD)	FACSChorus	affected `5.0 - <= 5.1` affected `3.0 - <= 3.1`

Weaknesses (CWE)

CWE-287

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

References

https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-29062

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References