1,400 Vulnerabilities Found in Popular Drug Cabinet System

According to an advisory issued by the Department of Homeland Security, a popular drug cabinet system has been found to have over 1,400 vulnerabilities, many of which could be exploited remotely using publically available exploits. Furthermore, the exploits could be executed by an attacker with a low level of skill.

The drug cabinet discovered to contain these vulnerabilities is version 8.1.3 of the Pyxis SupplyStation by CareFusion, which has not been updated since April 2010. However, vulnerabilities exist with a number of older versions of the system, many of which are still in operation and are used in a number of facilities in the United States. The automated drug cabinets dispense products and maintain an accurate stock inventory in real time.

Two independent security researchers, Billy Rios and Mike Ahmadi, obtained a decommissioned Pyxis SupplyStation and conducted a static binary analysis against the system’s firmware to search for vulnerabilities. The researchers discovered 1,418 vulnerabilities existed in the version they tested.

The vulnerabilities do not exist in the drug cabinet system itself, but with out-of-date third party software used with the machines. The old versions of the Pyxis SupplyStation run on Microsoft Server 2003 and Windows XP which are no longer supported. CareFusion confirmed that the vulnerabilities exist and provided details of the versions of Pyxis SupplyStation that are affected (Versions 8 through to 9.3.)

The bugs that could potentially be remotely exploited are located in 86 different files in 7 different software vendor packages: Symantec’s Antivirus 9 and pcAnywhere 10.5, Sybase SQL Anywhere 9, SAP Crystal Reports 8.5, Flexera Software Installshield, BMC Appsight 5.7, and Microsoft Windows XP.

Since the vulnerabilities affect systems that run on outdated, unsupported software, the vulnerabilities will not be corrected with patches. Instead, CareFusion has issued advice to users of the systems who are unable to upgrade. The recommendations will not make the systems secure, but will reduce the risk of the vulnerabilities being exploited.

One of the most important mitigations is to isolate the systems and not have them connected to the Internet. If it is not possible to disconnect the systems, CareFusion recommends that they are run through a VPN.

CareFusion points out that VPNs may contain vulnerabilities so this measure alone will not protect the devices, so network traffic should be monitored and VPN software should be kept up to date. It is also important to close all unused ports.

If pcAnywhere is used it must be upgraded to Version 12.5 Service Pack 4 or removed if it is not in use. ESET virus definitions should be updated and all Microsoft patches must be applied.

It is also strongly recommended to enable the password history tracking feature and to set strong passwords using the extended password feature. The best protection is to decommission the drug cabinet system and upgrade to supported versions which do not have the vulnerabilities.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.