Main Vulnerability Database SB2019090605

SB2019090605 - Session fixation in BD Pyxis

Published: September 6, 2019

Security Bulletin ID SB2019090605

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Adjecent network

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Session Fixation (CVE-ID: CVE-2019-13517)

The vulnerability allows a local attacker to steal authenticated sessions.

The vulnerability exists due to the exists access privileges are not restricted in coordination with the expiration of access based on active directory user account changes when the device is joined to an Active Directory (AD) domain. A local authenticated user can use the AD credentials of a previously authenticated user to gain access to the device and obtain the patient data and medication.

Remediation

Install update from vendor's website.

References

https://ics-cert.us-cert.gov/advisories/icsma-19-248-01