Becton, Dickinson and Company (BD) submitted a report about two vulnerabilities found in its BD Pyxis automatic medication dispensing systems, BD Viper LT automatic molecular testing systems, and BD Rowa pouch packaging systems.
The two vulnerabilities are caused by using hard-coded credentials. When exploited, the vulnerabilities can permit an unauthorized person to access, change, and erase sensitive information, which can consist of electronic protected health information (ePHI).
The most critical vulnerability, monitored as CVE-2022-22765, impacts all BD Viper LT system versions beginning 2.0. The vulnerability was given a CVSS severity rating of 8.0 of 10.
BD is fixing the vulnerability at this time and will include the fix in the forthcoming release of the BD Viper LT system Version 4.80 software. Meanwhile, BD has recommended using compensating settings, for instance making sure physical access controls are set up, enabling authorized people only to get system access, not connecting the system to the network wherever possible, and in case it isn’t feasible to remove the system from network access, to employ industry-standard network security guidelines and procedures.
The second vulnerability monitored as CVE-2022-22766, impacts the BD Pyxis selection of products as well as BD Rowa Pouch Packaging Systems. The vulnerability was given a CVSS severity rating of 7.0 of 10. In case exploited, an attacker can get access to the file system and take advantage of software files that can be employed to decrypt software credentials or acquire access to ePHI.
Credentials are managed by BD and customers cannot view or used them to get access or utilize BD Pyxis devices. So to be able to take advantage of the vulnerability, threat actors need to get access to the hardcoded credentials, compromise a facility’s system, and acquire access to each device.
BD stated it is fortifying credential management features in BD Pyxis devices. At the same time, compensating controls may be used on the impacted items. These consist of restricting physical access to approved personnel, firmly managing the BD Pyxis system credentials given to approved users, separating items in a protected VLAN or behind firewalls, and keeping track of and recording network traffic. The Pyxis Security Module for automatic patching and management of virus definition is furnished to all accounts. Users must support their BD support group to make sure to update all patching and virus definitions.
BD wants transparency with its clients and makes product security data, which includes vulnerability disclosures, accessible via the BD Cybersecurity Trust Center. As part of this responsibility, BD published product security notices regarding the usage of hardcoded credentials. Customers or end-users do not use hardcoded credentials directly to acquire access to these systems.
There was no report of vulnerabilities exploitation in clinical environments. BD reported the vulnerabilities to the ISAOs, FDA, and CISA to bring up awareness.