Multiple vulnerabilities in BD Pyxis MedStation ES System and Pyxis Anesthesia (PAS) ES System



Published: 2020-04-02
Risk Low
Patch available NO
Number of vulnerabilities 1
CVE-ID CVE-2020-10598
CWE-ID CWE-693
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
Pyxis Anesthesia (PAS) ES
Hardware solutions / Medical equipment

Pyxis MedStation ES System
Hardware solutions / Medical equipment

Vendor Becton, Dickinson and Company (BD)

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Protection Mechanism Failure

EUVDB-ID: #VU26529

Risk: Low

CVSSv3.1: 6.2 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-10598

CWE-ID: CWE-693 - Protection Mechanism Failure

Exploit availability: No

Description

The vulnerability allows a local attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures in the "kiosk mode" functionality. An attacker with physical access can use a specially crafted input, bypass implemented security restrictions and view and/or modify sensitive data.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Pyxis Anesthesia (PAS) ES: 1.6.1

Pyxis MedStation ES System: 1.6.1


CPE2.3 External links

http://www.us-cert.gov/ics/advisories/icsma-20-091-01
http://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletins/bd-pyxis-medstation-and-anesthesia-(pas)-es-system-kiosk-mode-escape

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###