Vulnerability identifier: #VU63899
Vulnerability risk: Medium
CVSSv3.1: 8.1 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-262
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
(BD) Pyxis ES Anesthesia Station
Hardware solutions /
Medical equipment
(BD) Pyxis CIISafe
Hardware solutions /
Medical equipment
(BD) Pyxis Logistics
Hardware solutions /
Medical equipment
(BD) Pyxis MedBank
Hardware solutions /
Medical equipment
(BD) Pyxis MedStation 4000
Hardware solutions /
Medical equipment
(BD) Pyxis MedStation ES
Hardware solutions /
Medical equipment
(BD) Pyxis MedStation ES Server
Hardware solutions /
Medical equipment
(BD) Pyxis ParAssist
Hardware solutions /
Medical equipment
(BD) Pyxis Rapid Rx
Hardware solutions /
Medical equipment
(BD) Pyxis StockStation
Hardware solutions /
Medical equipment
(BD) Pyxis SupplyCenter
Hardware solutions /
Medical equipment
(BD) Pyxis SupplyRoller
Hardware solutions /
Medical equipment
(BD) Pyxis SupplyStation
Hardware solutions /
Medical equipment
(BD) Pyxis SupplyStation EC
Hardware solutions /
Medical equipment
(BD) Pyxis SupplyStation RF auxiliary
Hardware solutions /
Medical equipment
(BD) Rowa Pouch Packaging Systems
Hardware solutions /
Medical equipment
Vendor: Becton, Dickinson and Company (BD)
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected products are installed with default credentials and may still operate with these credentials. A remote attacker on the local network can gain privileged access to the underlying file system and gain access to ePHI or other sensitive information.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
(BD) Pyxis ES Anesthesia Station: All versions
(BD) Pyxis CIISafe: All versions
(BD) Pyxis Logistics: All versions
(BD) Pyxis MedBank: All versions
(BD) Pyxis MedStation 4000: All versions
(BD) Pyxis MedStation ES: All versions
(BD) Pyxis MedStation ES Server: All versions
(BD) Pyxis ParAssist: All versions
(BD) Pyxis Rapid Rx: All versions
(BD) Pyxis StockStation: All versions
(BD) Pyxis SupplyCenter: All versions
(BD) Pyxis SupplyRoller: All versions
(BD) Pyxis SupplyStation: All versions
(BD) Pyxis SupplyStation EC: All versions
(BD) Pyxis SupplyStation RF auxiliary: All versions
(BD) Rowa Pouch Packaging Systems: All versions
External links
http://ics-cert.us-cert.gov/advisories/icsma-22-151-01
http://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.