#VU20897 Session Fixation


Published: 2019-09-06

Vulnerability identifier: #VU20897

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-13517

CWE-ID: CWE-384

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Pyxis Enterprise Server
Hardware solutions / Medical equipment
Pyxis ES
Hardware solutions / Medical equipment

Vendor: Becton, Dickinson and Company (BD)

Description

The vulnerability allows a local attacker to steal authenticated sessions.

The vulnerability exists due to the exists access privileges are not restricted in coordination with the expiration of access based on active directory user account changes when the device is joined to an Active Directory (AD) domain. A local authenticated user can use the AD credentials of a previously authenticated user to gain access to the device and obtain the patient data and medication.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pyxis Enterprise Server: 4.4 - 4.12

Pyxis ES: 1.3.4 - 1.6.1


CPE

External links
http://ics-cert.us-cert.gov/advisories/icsma-19-248-01


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability