Not Using Password Aging in BD Pyxis



Published: 2022-06-01
Risk Medium
Patch available NO
Number of vulnerabilities 1
CVE-ID CVE-2022-22767
CWE-ID CWE-262
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Subscribe
(BD) Pyxis ES Anesthesia Station
Hardware solutions / Medical equipment

(BD) Pyxis CIISafe
Hardware solutions / Medical equipment

(BD) Pyxis Logistics
Hardware solutions / Medical equipment

(BD) Pyxis MedBank
Hardware solutions / Medical equipment

(BD) Pyxis MedStation 4000
Hardware solutions / Medical equipment

(BD) Pyxis MedStation ES
Hardware solutions / Medical equipment

(BD) Pyxis MedStation ES Server
Hardware solutions / Medical equipment

(BD) Pyxis ParAssist
Hardware solutions / Medical equipment

(BD) Pyxis Rapid Rx
Hardware solutions / Medical equipment

(BD) Pyxis StockStation
Hardware solutions / Medical equipment

(BD) Pyxis SupplyCenter
Hardware solutions / Medical equipment

(BD) Pyxis SupplyRoller
Hardware solutions / Medical equipment

(BD) Pyxis SupplyStation
Hardware solutions / Medical equipment

(BD) Pyxis SupplyStation EC
Hardware solutions / Medical equipment

(BD) Pyxis SupplyStation RF auxiliary
Hardware solutions / Medical equipment

(BD) Rowa Pouch Packaging Systems
Hardware solutions / Medical equipment

Vendor Becton, Dickinson and Company (BD)

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Not Using Password Aging

EUVDB-ID: #VU63899

Risk: Medium

CVSSv3.1: 8.1 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2022-22767

CWE-ID: CWE-262 - Not Using Password Aging

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected products are installed with default credentials and may still operate with these credentials. A remote attacker on the local network can gain privileged access to the underlying file system and gain access to ePHI or other sensitive information. 

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

(BD) Pyxis ES Anesthesia Station: All versions

(BD) Pyxis CIISafe: All versions

(BD) Pyxis Logistics: All versions

(BD) Pyxis MedBank: All versions

(BD) Pyxis MedStation 4000: All versions

(BD) Pyxis MedStation ES: All versions

(BD) Pyxis MedStation ES Server: All versions

(BD) Pyxis ParAssist: All versions

(BD) Pyxis Rapid Rx: All versions

(BD) Pyxis StockStation: All versions

(BD) Pyxis SupplyCenter: All versions

(BD) Pyxis SupplyRoller: All versions

(BD) Pyxis SupplyStation: All versions

(BD) Pyxis SupplyStation EC: All versions

(BD) Pyxis SupplyStation RF auxiliary: All versions

(BD) Rowa Pouch Packaging Systems: All versions


CPE2.3 External links

http://ics-cert.us-cert.gov/advisories/icsma-22-151-01
http://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###