Main Vulnerability Database Vulnerabilities #VU20897

Session Fixation in Pyxis Enterprise Server and Pyxis ES - CVE-2019-13517

Published: September 6, 2019

Vulnerability identifier: #VU20897

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-13517

CWE-ID: CWE-384

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: Becton, Dickinson and Company (BD)

Affected software:
Pyxis Enterprise Server
Pyxis ES

Detailed vulnerability description

The vulnerability allows a local attacker to steal authenticated sessions.

The vulnerability exists due to the exists access privileges are not restricted in coordination with the expiration of access based on active directory user account changes when the device is joined to an Active Directory (AD) domain. A local authenticated user can use the AD credentials of a previously authenticated user to gain access to the device and obtain the patient data and medication.

How to mitigate CVE-2019-13517

Install updates from vendor's website.

Sources

https://ics-cert.us-cert.gov/advisories/icsma-19-248-01

Session Fixation in Pyxis Enterprise Server and Pyxis ES - CVE-2019-13517

Detailed vulnerability description

How to mitigate CVE-2019-13517

Sources

Please verify you're human