Session fixation in BD Pyxis



Published: 2019-09-06
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-13517
CWE-ID CWE-384
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Subscribe 		Pyxis Enterprise Server
Hardware solutions / Medical equipment

Pyxis ES
Hardware solutions / Medical equipment

Vendor Becton, Dickinson and Company (BD)

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Session Fixation

EUVDB-ID: #VU20897

Risk: Low

CVSSv3.1: 6.6 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13517

CWE-ID: CWE-384 - Session Fixation

Exploit availability: No

Description

The vulnerability allows a local attacker to steal authenticated sessions.

The vulnerability exists due to the exists access privileges are not restricted in coordination with the expiration of access based on active directory user account changes when the device is joined to an Active Directory (AD) domain. A local authenticated user can use the AD credentials of a previously authenticated user to gain access to the device and obtain the patient data and medication.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pyxis Enterprise Server: 4.4 - 4.12

Pyxis ES: 1.3.4 - 1.6.1

External links

http://ics-cert.us-cert.gov/advisories/icsma-19-248-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###